
uit.Ui iiJli .Jilllll.iliiUlliill.lli I bilk. Jill, lUU il,lilUi llildkiMul.il nil J UklMIM J , I . „ i| ,, J m.U I ... . 


" / h 


NbL snail review safety stuch 


and operations plans referred to it and 

“THE PANEL shall review safety studies 

shall make reports thereon, shall ’ advise 

and operations plans referred to it and 

thjpi A rimmiQtmtnr \A/ifO rm o n o r ^ t t/A fMo 
li /o f / hi //ouciiw/ vviu i 1 1 sofJUUt lU li /fc> 

shall make reports thereon, shall advise 

hazards or proposed or existing facilities 

the Administrator with respect to the 

and proposed operations and with 

hazards of proposed or existing facilities 

respect to tne adequacy of proposed or 

and proposed operations and with 

existing safety standards and shall 

respect to the adequacy of proposed or 

perform i such other duties as the 

existing safety standards and shall 

Administrator may request. *' 

perform such other duties as the 


Administrator may request. 


A O A A , . 


Of thtif' f on. R7 ao / / c o oax? 

(NASA Authorization Act of 1968, 

Public Law 90-67, 42 U.S.C. 2477) 


L«uMiN iituuii nil 1 ,i mmm imi iLiiiiiMiiMiiiiiiiiiiiiuiiM.iiiiii m urn urn ill ii li, iiiLWM.i.iiiii 


leply to Attn of: 


National Aeronautics and 
Space Administration 

Headquarters 

Washington, DC 20546-0001 


q 1 February 2000 

Honorable Daniel S. Goldin 
Administrator 

National Aeronautics and Space Administartion 
Washington, DC 20546 

Dear Mr. Goldin: 



Submitted herewith is the annual report of the Aerospace Safety Advisory Panel for the calendar year 1999- 
This year we have added explanations in Appendix B of the reasons for classifying NASA’s response to last 
year’s recommendations as “open,” “continuing,” or “closed." We request that NASA re-examine the issues 
still considered “open” as part of its review of the current submission. 

The Panel had productive interactions during the year with both NASA and contractor personnel. Many of 
the issues resulting from these discussions were closed as part of the Panel’s normal fact-finding activities. 
As a result, there are fewer specific findings and recommendations in this year’s report than in last year’s. 

Overall, it is our assessment that “safety first” is universal within the NASA programs. Safety consciousness, 
though necessary, is not sufficient to minimize risk. Until there are clear plans, international partner com- 
mitments, and adequate funding covering the lifetimes of the Space Shuttle and International Space Station 
programs, we will remain concerned about their safety over the long-term. 


Sincerely, 

Richard D. Blomberg 
Chair 

Aerospace Safety Advisor) 7 Panel 






National Aeronautics and 
Space Administration 


aerospacesafety 

advisorypanel 

ANNUAL REPORT FOR 1999 

February2000 


Aerospace Safety Advisory Panel 

Code Q-1 

NASA Headquarters 
Washington, D.C. 20546 

Tel: 202/358-0914 

Web: http://www.hq.nasa.gov/office/codeq/codeq-1 .htm 



tableofcontents 

I. Introduction 3 

II. FindingsandRecommendations 9 

A. Workforce 11 

B. SpaceShuttleProgram 15 

C. lntemationalSpaceStation(ISS)Program 22 

D. Extravehicular Activity(EVA) 26 

E. ComputerHardware/Software 29 

F. Aero-SpaceTechnology 39 

III. InformationinSupportofFindingsandRecommendations 45 

A. Workforce 47 

B. SpaceShuttleProgram 59 

C. lnternationalSpaceStation(ISS)Program 55 

D. ExtravehicularActivity(EVA) 58 

E. ComputerHardware/Software 59 

F. Aero-SpaceTechnology 93 

I V Appendices * ■ - 99 

A. AerospaceSafetyAdvisoryPanelMembership 71 

B. NASAResponsetoAnnualReportfor1998 74 

C . AerospaceSafetyAd vi sory Panel Activities , 

January-December 1 999 1 28 










I. Introduction 


This report covers the activities of the Aerospace Safety Advisory Panel (ASAP) for 
the calendar year 1999. This was a year of notable achievements and significant frus- 
trations. Both the Space Shuttle and International Space Station (\SS ) programs were 
delayed. The Space Shuttle prudently postponed launches after the occurrence of a 
wiring short during ascent of the STS-93 mission. The ISS construction schedule 
slipped as a result of the Space Shuttle delays and problems the Russians experi- 
enced in readying the Service Module and its launch vehicle. 

Each of these setbacks was dealt with in a constructive way. The STS-93 short circuit 
led to detailed wiring inspections and repairs on all four orbiters as well as analysis 
of other key subsystems for similar types of hidden damage. The ISS launch delays 
afforded time for further testing, training, development, and contingency planning. 

The safety consciousness of the NASA and contractor workforces, from hands-on 
labor to top management, continues high. Nevertheless, workforce issues remain 
among the most serious safety 7 concerns of the Panel. Cutbacks and reorganizations 
over the past several years have resulted in problems related to workforce size, crit- 
ical skills, and the extent of on-the-job experience. These problems have the 
potential to impact safety as the Space Shuttle launch rate increases to meet the 
demands of the ISS and its other customers. As with last year’s report, these work- 
force-related issues were considered of sufficient import to place them first in the 
material that follows. 

Some of the same issues of concern for the Space Shuttle and ISS arose in a review 
of the launch vehicle for the Terra mission that the Panel was asked by NASA to 
undertake. Other areas the Panel was requested to assess included the readiness of 
the Inertial Upper Stage for the deployment of the Chandra X-ray Observatory and 
the possible safety 7 impact of electromagnetic effects on the Space Shuttle. 

The findings and recommendations in this report do not highlight any major, 
immediate issues that might compromise the safe pursuit of the various NASA pro- 
grams. They do, however, cover concerns that the Panel believes should be 
addressed in the interest of maintaining NASA’s excellent safety record. The Panel 
is pleased to note that remedial efforts for some of the findings raised are under- 
way. Given appropriate funding and cooperative efforts among the 
Administration, the Congress and the various contractors, the Panel is convinced 


5 


annual re port fori 999 


aerospace safety advisory pane I 


that safety problems can be avoided or solved resulting in lower risk for NASA’s 
human space and aeronautics programs. 

Section II of this report contains specific findings and recommendations generated 
by Panel activities during the calendar year 1999 . Section III presents more detailed 
information in support of these findings and recommendations. A current roster of 
Panel members, consultants, and staff is included as Appendix A. Appendix B con- 
tains NASA’s response to the findings and recommendations from the 1998 annual 
report. It has been augmented this year to include brief explanations of why the 
Panel classified the NASA response as “open” “continuing ” or “closed.” Appendix C 
lists the fact-finding activities of the Panel in 1999 - 

During the year, Mr. John F McDonald retired as a consultant to the Panel after dis- 
tinguished service as both a member and consultant. Mr. Robert B. Sieck, retired 
Director of Space Shuttle Processing at the Kennedy Space Center (KSC) and Admiral 
J. Paul Reason (USN, Ret), former Commander-in-Chief, U.S. Atlantic Fleet, joined the 
Panel as consultants. Mr. Norman B. Starkey left as executive director of the Panel to 
assume the position of Deputy Associate Administrator for Space Shuttle Operations. 
Ms. Suzanne E. Hilding, formerly Deputy Director (acting) of Space Shuttle Processing 
at KSC, succeeded him. 


6 






FindingsandRecommendations 







. FindingsandRecommendations 


A. WORKFORCE 

The Panel traditionally has not examined workforce questions in its assessments of 
the safety of NASA’s activities, particularly those associated with human space 
flight. However, in recent years, NASA and contractor employees have voiced their 
workforce-related concerns to Panel members during our fact-finding visits to 
NASA work sites, especially those at Office of Space Flight (OSF) centers— Johnson 
Space Center (JSC ), Kennedy Space Center (KSC), and Marshall Space Flight Center 
(MSFC).In 1996, the Panel also was asked by the Office of Science and Technology 
Policy (OSTP) to evaluate the potential safety impacts of ongoing efforts to 
improve and streamline operations of the Space Shuttle, including the substantial 
downsizing of NASA’s civil service workforce and the transition of many opera- 
tional responsibilities to the United Space Alliance (USA). In response to this 
request, the Panel reported its findings and recommendations in the Review of 
Issues Associated with Safe Operation and Management of the Space Shuttle 
Program (November 1996). 

These investigations resulted in specific findings and recommendations that were 
included in the OSTP-initiated study and in last year’s annual report. In the 1997 
annual report, the Panel did not make specific findings and recommendations but 
instead listed six workforce-related “concerns ” 

An examination of these prior Panel reports reveals several consistent themes, 
such as: 

• Erosion of critical skills and loss of experience at OSF centers; 

• A growing lack of younger people at entry-level positions that will lead to a future 
leadership gap, especially in the “scientists & engineers” (S&Es) classification; 

• Insufficient training by both NASA and its contractors to fill the critical skills and 
experience gaps caused by downsizing; 

• A decreasing capacity to accommodate higher Space Shuttle flight rates for a sus- 
tained period. 


11 


annual repo rtf orl 999 


aerospacesaifetyadvisory panel 


In the past year, NASA has focused increasing high-level attention on these issues. It 
organized a NASA-wide Core Capability Assessment (CCA), a center-by-center analy- 
sis to identify the workforce and infrastructure needed by NASA to carry out its 
mandated missions. Findings of the CCA were received by the Capital Investment 
Council and passed on for decision to the Senior Management Council. As discussed 
below, various positive steps were taken, such as lifting the hiring freeze and 
strengthening various training initiatives. The CCA continues to pursue these issues. 

The Panel recognizes and applauds these positive steps. However, we must also 
report that, based on our on-site reviews in 1999, workforce issues are not fully 
resolved. In particular, we have found continuing workforce problems at KSC, JSC, 
and MSFC related to Space Shuttle operations and the launching of the International 
Space Station. Similar workforce problems have been reported at other NASA cen- 
ters, particularly in the areas of flight training and flight testing. The Panel’s current 
findings and recommendations follow. 


12 


Finding#! 


The continuing downsizing at Office of Space Flight Field Centers, coupled with the 
effects of the prior hiring freeze and unplanned departures, has produced critical 
skills deficits in some areas, growing workload pressure and stress levels, and a seri- 
ous shortfall of younger S&Es. 

Recommendation#! 

NASA must continue to address workforce problems aggressively and establish pro- 
gram priorities that ensure a workforce capable of achieving long-term safe and 
effective operations. Emphasis should be placed on eliminating critical skills short- 
falls and recruiting younger S&Es who can develop into experienced and skilled 
future leaders. 


aeros pacesaf etyad vi so ry panel 


Finding#2 


The combination of downsizing losses, hiring restrictions, and transition of responsi- 
bilities from NASA to contractors, such as USA, continues to limit the opportunities 
for junior and mid-level NASA managers to gain the operational knowledge and expe- 
rience required for continued leadership in senior management positions. 

Recommendation#2 

Innovative arrangements between NASA and its contractors to provide entry-level 
and mid-level NASA S&Es with operational, “hands-on” experience should be 
strengthened and expanded. Project management training initiatives, such as the 
Academy of Program & Project Leadership (APPL), must strive to broaden their out- 
reach to management teams and individuals at the Field Centers. 


14 


B. SPACESHUTTLEPROGRAM 


The Space Shuttle government/contractor team continues to mature. Despite diffi- 
culties brought about by a lower than expected launch rate, funding uncertainties 
and an aging system, the team demonstrated that they indeed subscribe to and act in 
accordance with the principle/ safety first, schedule second.” 

This is not to say there were not one-time anomalies and continuing problems. Yet, 
in all cases, a studied and correct course of action was undertaken, and safety was 
never compromised. In spite of significant pressures, NASA and its contractors 
employed thorough processes, exercised appropriate engineering judgment, and 
always maintained the primary importance of safety. That this was so can be attrib- 
uted to the dedication, teamwork, and decision processes of program personnel. 
Examples of this are to be found in the systematic and efficient processes used to 
solve problems such as aging wiring, the ejection of a liquid oxygen post-pin causing 
a hydrogen leak in a main engine nozzle, and other less spectacular events.The Panel 
especially applauds the thoroughness of the Orbiter wiring review and further com- 
mends USA for conducting a similar review of other critical systems. 

Although the Space Shuttle program was successful in 1999, the Panel does have con- 
cerns for the future. 

There are still too many process escapes, and there is concern about the extent of 
true insight NASA has into contractor practices. 

The aforementioned electrical wiring problem could well be a harbinger of things to 
come in the aging Orbiter fleet. The Panel hopes that the lessons being learned 
about aging aircraft at NASA Research Centers, in the airline industry, and in the 
Department of Defense will be applied to the Orbiter. Meanwhile, the underfunded 
and slow-paced implementation of the Orbiter Upgrade Program does not bode well 
for any early improvements. The Panel believes Congress and NASA should pay close 
attention to the findings and recommendations of the National Research Council’s 
report, Upgrading the Space Shuttle (1999). 

Special focus must be placed on identifying and eliminating vulnerabilities (such 
as redundant systems located in close proximity). Additionally, more attention is 
needed on upgrading avionics as discussed in the Computer Hardware/Software sec- 
tion of this report. 

Obsolescence and projected increases in flight rates coupled with longer turnaround 
times for component repairs cause concern about the ability to support the Space 
Shuttle manifest. 


15 


annualreportforl 999 


aerospacesafetyadvisorypanel 


The lingering effects of workforce downsizing and the uncertainty as to how this 
downsized and aging workforce will accommodate to the projected increase in 
launch rate associated with the International Space Station (ISS) are yet to be 
resolved. In spite of possibly excessive cutbacks, launch processing demands in the 
short term can be met at an acceptable level of safety risk. This effort, however, will 
likely further reduce the personnel available to work on productivity enhancements 
and system life extension activities. 

Due to the unusually low recent Space Shuttle flight rate, the reduced workforce has 
been able to keep up with processing and short-term Ground Support Equipment 
(GSE) and facility maintenance demands . With future flight rates scheduled to rise to 
as many as eight per year, with surges equivalent to a rate of 12, this may no longer 
be the case. 

The Panel presents the following as findings worthy of particular attention. 


16 


Finding#3 


The Space Shuttle Program Office has instituted a set of Process Control Focus 
Groups whose goal is to implement “best practice” commonality in change control 
procedures across all supplier tiers. 

Recommendation#3 

Focus the active and dedicated support of senior management of the major contrac- 
tors and all their subcontractors on implementing the process control "best 
practices” as soon as feasible. NASA must be fully apprised of all process changes 
even if they result in a product that meets requirements. 



aerospacesafetyadvisorypanel 


Finding#4 


Although progress has been made to improve the quality, accuracy, and traceability 
of the work instructions (“paperwork” used in the processing of Space Shuttle 
Orbiters) much remains to be done to provide correct and unambiguous procedures. 
There are still too many unincorporated changes. 

Recommendation#4 

Efforts to improve the quality, accuracy, and traceability of the work paper as well as 
the timeliness of incorporation of changes to work instructions must be given higher 
priority by both NASA and USA in a coordinated, systematic effort. 


18 


liiiiiuiiliihiiimiil ill il il; ; i, ill l 


Finding#5 


There is no systematic plan to counter obsolescence and assure the availability of 
adequate facilities, GSE, and specialized test-and-checkout equipment throughout the 
expected lifetime of the Space Shuttle. 

Recommendation#5 

Develop and execute a plan to ensure that all needed support and test-and-checkout 
facilities and equipment are assured available and protected from obsolescence for 
the maximum foreseeable life of the Space Shuttle. 



aeros pace-safety advi scry pan el 


Finding#6 


Space Shuttle processing workload is sufficiently high that it is unrealistic to depend 
on the current staff to support higher flight rates and simultaneously develop pro- 
ductivity improvements to compensate for reduced head counts. NASA and USA 
cannot depend solely 7 on improved productivity to meet increasing launch demands. 

Recommendation#6 

Hire additional personnel and support them with adequate training. 


Finding#7 


Due to attrition of experienced personnel, NASA and its contractors are assigning 
more newly trained personnel to Space Shuttle operations tasks.This has led to con- 
cerns in the workforce regarding the qualifications of some newly-assigned personnel. 

Recommendation#7 

NASA and its contractors must ensure that their training, certification, and task assign- 
ment processes are such that only suitably qualified engineering and technical 
personnel are performing Space Shuttle operations. Any training and licensing pro- 
gram to certify new personnel must include both testing of acquired skills and 
demonstrated proficiency on the assigned task. 


aerospacesafety advisory pane I 


C. INTERNATIONALSPACESTATION(ISS)PROGRAM 

The past year has been one of progress and consolidation for the ISS. Experience 
with the launch and integration of the first several elements into the Multi-Element 
Integrated Tests (MEIT) and on orbit indicates that the program is well underway and 
that the overall system is robust. It is encouraging that problems have been found 
and corrected in MEIT and that planning for the third phase of such testing has 
begun. This phase will involve the International Partners (IPs) and requires additional 
funding which the Panel has been given to understand will soon be forthcoming. 

The hazard of Micrometeoroids and Orbital Debris (MM/OD) is well recognized. 
Analyses have been presented which show that the risk is manageable, so long as 
reasonable precautions are made. Such precautions include avoiding tracked debris, 
providing sufficient instrumentation to detect and locate penetration of the pressur- 
ized modules, training the crew to react quickly in a depressurization emergency; and 
augmenting the shielding of the Russian Segment on orbit. 

It is particularly gratifying to see that an integrated debris tracking and warning 
system has been created in conjunction with the U.S. Space Command Space 
Surveillance Network. On one occasion this year, early warning of an impending 
close encounter was made, and timely, suitable evasive maneuvering was effected, 
demonstrating the practicability of the system. 

Planning and development for caution and warning, damage assessment, and control 
has come a long way since the Panel first commented on the subject several years 
ago. The present approach seems reasonable and well thought out, and it is particu- 
larly heartwarming to see that the Astronaut Office is fully engaged in its 
development. Work on a sensor system to localize any sizeable pressure vessel pene- 
tration is progressing and, if successful, should lead to a fully engineered and 
deployed capability. 

Overall, the ISS has been progressing productively including addressing items that 
the Panel had found lagging in previous reports.The majority of issues related to the 
ISS that the Panel examined during the year were satisfactorily resolved prior to the 
preparation of this report. The Panel offers the following three findings and recom- 
mendations. 


22 


IHR nil'll' 1 1 IHII I I Wl 'll 'I I Mil III mill ill i li III H mull mm 1 1 ii 111 1 imn 1 iiii'ii in im mi in 'M< 1 1 'imn m i ihiiii in ■miw mwn 


Finding#8 


Acquisition of the ISS Crew Return Vehicle (CRV) has been lagging and appears to be 
facing further delay. The full-crew CRV is needed for long-term safe operation of the 
ISS with a crew larger than three astronauts. 

Recommendation#8 

Take whatever steps are necessary to halt the delays to the CRV program without 
jeopardizing adequate demonstration of safety of design and certification of human- 
rating. 


aerospacesafety advisory pan el 


Finding#9 


The NASA personnel who are involved in finding solutions for the problems of radi- 
ation in space have developed an excellent long-range plan to define approaches for 
crew protection. 

Recommendation#9 

Continue to support the nascent, but better defined, radiation effects research and 
development program. 


24 


milin i ll!ll M II I II! Ill I ! 1 1 III If 'il'NII Mill I ' I i i|M • 'll mi iililiiim i 11 l iii mm nil nimi hhimiimmiiini* hi 'wwhhi'hhi i 



Finding#10 


The Russian Solid Fuel Oxygen Generator (SFOG) is baselined as the backup oxygen 
supply system for the ISS. This device has experienced problems in its application 
on Mir and thus may be a potential safety hazard when operated on the ISS. 

Recommendation#1 0 

Examine ways to eliminate the risks posed by the use of the Russian SFOG such as 
by determining the availability of a better, “off-the-shelf safety-proven SFOG or by ini- 
tiating an R&D effort to produce a safer alternative. 


a e r o s, p a c e s af e t y a d v i s o ry p a n e I 


D. EXTRAVEHICUU\RACTIVITY(EVA) 


The timely completion of the very success-oriented ISS assembly schedule depends 
not on some leading edge of technology, but, rather, on the safe execution, under 
stressful conditions, of complex mechanical operations by tethered humans in space. 
Thus, the Panel has taken a special interest in preparations by the EVA Project Office 
for the impending potentially high-risk program. The ongoing Panel review encom- 
passes equipment, training, and joint U.S.-Russian procedures, ground rules, and 
protocols. The resultant picture is largely positive in the short-term. 

The EVA project has been proactive in addressing the Panel’s concerns and planning 
for safe ISS and Space Shuttle operations. For example, the range of Hard Upper Torso 
(HUT) sizing will be expanded to include small HUT’ units. Also, the long-term avail- 
ability of Simplified Aid for EVA Rescue (SAFER) units on orbit will be assured by the 
procurement of critical spares and additional flight units. 

The long-term picture is less promising. The EVA Research and Technology (R&T) 
program has suffered a funding cut. This program, when fully funded, had the poten- 
tial to develop new technologies that would have supported the later years of the ISS 
and advanced space exploration activities. Extensive planned EVA activity for the ISS, 
associated wear-and-tear on the equipment and obsolescence render it unrealistic to 
expect the existing EVA assets to last the entire 1 5-year projected lifetime of the ISS. 
While further procurement of existing designs may be possible, it is preferable to 
incorporate improvements when additional equipment is acquired. 

The Panel has two findings in this subject area this year. 


26 


Finding#! 1 


The EVA Project Office has several planned initiatives to ensure the availability of 
adequate EVA resources to support the ISS and Space Shuttle. These initiatives cover 
acquisition of materiel, development of procedures, and improved training. 

Recommendation^ 1 

Expedite completion of the planned initiatives related to the safety of EVA so that 
maximum benefit can be realized during the upcoming intensive ISS assembly sched- 
ule. 


aerospacesafetyadvisorypanel 


Finding#12 


The funding of the EVA R&T program is not adequate to provide the maximum safety 
benefit in terms of new equipment and procedures that lower the risk of extrave- 
hicular activities. 

Recommendation#1 2 

Fund a robust EVA R&T program. 


I 

i 


28 


"HWI I MM HI! M mill : I V 11 llllill iinmliiii mm iiM i l | l i ' d nmm 


E. COMPUTERHARDWARE/SORWARE 


The activities of NASA and its contractors over the past year have been responsive to 
most of the computer issues raised in last year’s report. Many of these issues, how- 
ever, will take years to fully resolve.The Panel has therefore opted not to revisit these 
issues in this report although it will continue to monitor future progress. Instead, sev- 
eral new issues that have come to the forefront during the past year will be 
addressed. 

Agency-wide computer security is one such issue. This topic has become important 
to the Government as a whole, not just NASA. NASA has taken a number of positive 
initial steps toward identifying the extent of the problem and instituting mechanisms 
to deal with it. However, these steps will take several years to fully deploy. The Panel 
has several recommendations in support of these efforts, both at the agency-wide 
level and for specific projects. 

Secondly, this report addresses a pair of issues regarding avionics upgrades to the 
Space Shuttle. Some excellent plans have been developed for overcoming avionics 
obsolescence problems. The Panel supports moving ahead with most of these, but 
suggests careful evaluation of their impact on “Crit 1" (risk of loss of life) functions. 

Finally, we raise a concern about incident investigation and long-term operability of 
the ISS. 

One point not covered by a specific finding and recommendation relates to the 
Schedule Release Control Board (SRCB) developed by the ISS program to assist 
timely software delivery. The SRCB has proven to be an effective mechanism for man- 
aging schedules and preventing last minute problems. This concept might profitably 
be applied to other major software programs within the Agency. 


aerospacesafety advisory pane I 


Finding#! 3 


NASA has taken positive steps for upgrading security on the ISS uplink by adopting 
a more robust encryption scheme. The downlink and the links between the Mission 
Control Centers (MCCs) in Houston and Moscow, however, are not encoded. 

Recommendation#! 3 

Conduct an overall threat analysis of the Space Station downlink and its interfaces to 
both MCC Houston and MCC Moscow. 


30 


urn i iia ii >ii m ii ii in *ii> » | 


Finding#! 4 


NASA has initiated an agency-wide program to deal with general computer security. 
Significant parts of NASA’s initial plan depend upon the voluntary compliance of 
system users including contractors. 

Recommendation#! 4 

Expand the agency-wide security system development work to include less depen- 
dence on human compliance with the system. NASA should also require contractors 
to participate in its security efforts. 


aer os pacesafety advisory panel! 


Finding#15 

Further analysis of NASA’s planned agency-wide computer security system is needed 
to understand its vulnerabilities and the programs and activities to which the system 
should be applicable. 

Recommendation# 1 5 

Conduct a thorough analysis, together with the National Security Agency, to deter- 
mine the level of computer security required by the Agency, the level of security that 
can be expected from the system and its most serious vulnerabilities. Also require all 
major mission or safety critical programs to have a qualified third party conduct a 
computer vulnerability analysis of their designs as soon as possible. 


32 


HI II 1 1 IH'ii HIP 1111 1'l III I : ll II M 1 ll I I hi Ml i ii min l ii i l M i I'M 'i ii mi i minimi mu im "limn ii* mi luinumi m mu mu Minimal 



Finding#! 6 


NASA has established an Avionics Upgrade Architecture Team (AUAT) charged with 
studying Space Shuttle avionics systems and recommending upgrades. The AUAT has 
conducted a thorough study and developed an excellent Block I upgrade plan that 
addresses the most serious needs, but as yet it is unfunded. 

Recommendation#! 6 

Proceed with full funding for the proposed Block I Space Shuttle avionics upgrades 
as rapidly as possible. 


aerospacesafetyadvisorypanel 


Finding#1 7 


Part of the AUAT’s initial approach is to install three mission computers to augment 
the existing General Purpose Computers (GPCs). The specific functions to be off- 
loaded from the GPCs to the mission computers have yet to be determined. 
Eventually, the AUAT plans to consider moving some“Crit 1” functions to the mission 
computers. 

Recommendation#1 7 

Do not move any “Crit 1 ” functions to the mission computers unless memory require- 
ments in the GPC demand it and then only after an appropriate risk analysis is 
performed. 


34 


Finding#18 


The long-term support of the International Partners with respect to software source 
code is essential to the safe operation of the ISS and the resolution of any software- 
related anomalies. 

Recommendation# 1 8 

Solidify long-term source code maintenance and incident investigation agreements 
for all software being developed by the International Partners as quickly as possible, 
and develop contingency plans for all operations that cannot be adequately placed 
under NASA’s control. 


aerospacesafetyadvisorypanel 


F. AERO-SPACETECHNOLOGY 


The NASA Aero-Space Technology Enterprise has shifted emphasis from programs 
connected with aviation to projects focused on space transportation and information 
systems. At the same time, the funding for the Enterprise has been significantly 
reduced. A most undesirable result has been a reduction of expenditures on those 
efforts which have the potential to enhance long-term aviation safety 7 . On the other 
hand, the talent and enthusiastic dedication to safety of NASA personnel charged 
with pursuing the Three Pillars for Success strategic plan are undiminished. All they 
need are the resources to do the job. 

Reduced funding for the Three Pillars notwithstanding, there are a number of ongo- 
ing NASA aviation research projects which have the potential to enhance aviation 
safety. Some examples are the Aircraft Performance and Monitoring System, crew 
fatigue studies, and next generation “Intelligent Flight Control* efforts. The latter 
employs a neural network system which can automatically compensate for a broad 
spectrum of aircraft problems and malfunctions. Closely allied with the Intelligent 
Flight Control System is the quadruple redundant digital flight control system on the 
“ACTIVE* aircraft. 

The Intelligent Synthesis Environment (ISE) program holds much promise, but clear 
goals seem to be lacking. 

Key to many NASA, academic, and private sector efforts to enhance flight safety are 
the NASA wind tunnels. Yet, aside from the potential deterioration of these national 
resources due to underfunding, an immediate concern is rooted in the announced 
intention to cross-train wind tunnel operators. Each installation is unique, and the 
Panel is skeptical that such cross-training can be maintained without compromising 
safety 7 . 

Finally, in the Space Shuttle program section of this report is a finding on process 
control. The Aero-Space Technology 7 Enterprise could well follow the example of the 
Space Shuttle program in ferreting out process control problems. For example, a 
recent Perseus Unoccupied Air Vehicle (UAV) flight termination failure was traced to 
a process control problem. It could happen elsewhere. 

Beyond the above, the following are the Panel's specific findings and recommenda- 
tions. 


36 


Finding# 19 


Programs such as the now-defunct High Speed Research and Advanced Subsonic 
Technology often yield aircraft safety improvements. Elimination of these programs 
may well be inimical to advances in aviation safety. 

Recommendation# 1 9 

Identify those dements of the eliminated programs which had the potential to 
improve aviation safety and cover them elsewhere. 



aerospac ©safety advisory pan el 


Finding#20 


The involvement of Center Directors in aviation flight readiness, flight clearance, and 
aviation safety review board matters is not uniformly satisfactory 7 . 


Recommendation#20 


Underscore the need for Center Directors to become involved personally 7 in aviation 
flight readiness, flight clearance, and aviation safety review board matters. 


38 


Finding#21 


NASA’s responsibilities with regard to aviation flight safety when a contractor con- 
ducts flights and/or provides payloads are not clearly defined. 

Recommendation#2 1 

Define more explicitly the safety responsibilities of NASA Centers when conducting, 
supervising, or participating in contractor-operated aviation flight and payload oper- 
ations. 



aerospacesafety advisory panel 


Finding#22 


The chain of safety responsibility for the operation of the Stratospheric Observatory 
for Infrared Astronomy (SOFIA) aircraft is complex and unclear. 

Recommendation#22 

Sort out and clear up the SOFIA chain of flight operations safety responsibility. 


40 


Finding#23 


In planning for SOFIA operations, aviation safety and flight personnel have had min- 
imal involvement. 

Recommendation#23 

Involve cognizant aviation safety and flight personnel in SOFIA planning and devel- 
opment on a routine basis. 


41 


annual repo rtf or 1 999 



aeros pac esaf ©ty ad,vi so ry panel 


Finding#24 


As currently configured, the SOFIA aircraft does not contain avionics consistent with 
best practices for international operations. 

Recommendation#24 

Ensure that the SOFIA aircraft is configured in accordance with prevailing interna- 
tional airline avionics practices. 


42 







III. InformationinSupportofFindings 
andRecommendations 







III. InformationinSupportofFindings 
andRecommendations 


A. WORKFORCE 

Ref: Finding#1 

In the past year, the workforce issue has received focused attention at the highest 
levels of NASA. The Core Capability Assessment (CCA) generated an intensive look 
at the workforce and infrastructure requirements of the Offices and Field Centers in 
order to carry out their assigned missions. The Office of Space Flight (OSF) Centers 
reported the most difficulty in meeting their current program responsibilities with 
the workforce targets established by the Zero Base Review (ZBR) conducted in the 
mid-1990s. Some marginal adjustments to these workforce targets were recom- 
mended by the CCA and approved by the Senior Management Council. These 
adjustments have had two major impacts: (1) the hiring freeze that essentially 
stopped all new hires for the OSF ended in favor of a general formula of one new hire 
for every two additional Full Time Equivalent (FTE) reductions; and (2) the ZBR-man- 
dated workforce ceilings are still in place but their implementation has been 
stretched out by several years. 

Nevertheless, this positive activity did not change the fundamental situation faced at 
the OSF Centers in carrying out safe and effective operations of the Space Shuttle 
and the design, verification, launch, and assembly of the International Space Station 
(ISS).The Panel heard consistent and repeated reports — from high-level administra- 
tive leaders to floor-level technicians — of critical skills shortages at the Johnson 
Space Center (JSC), Kennedy Space Center (KSQ, and Marshall Space Flight Center 
(MSFC), along with a general lack of workforce resources needed to sustain the pro- 
jected flight rate of the Space Shuttle and the ISS segments. Similar workforce 
concerns have been reported by other NASA Centers, particularly in the areas of 
flight training and flight testing. These workforce shortfalls in certain critical skills 
are also a factor in the questionable capability of the United Space Alliance (USA) to 
achieve the higher flight rates projected in 2000 and 2001. The Panel has also been 
assured repeatedly by NASA and USA that under no circumstances will safe opera- 
tions be sacrificed due to workforce limitations. While the Panel believes this 
commitment to operational safety is sincere, the increased danger of inadvertent 
human error in a stressful work environment cannot be ignored. 


47 


annualreportforl 999 


aero's pac esafety ad vis orypan el 


The reality of a work environment of increasing stress was validated by studies at JSC 
and MSFC. A Stress Management Advisory Team was established at JSC to examine 
indicators of stress in the JSC workforce, understand the reasons for stress, and 
develop recommendations to manage this stress. At MSFC, the Employee Assistance 
Program has reported a near doubling (from 400 to 700) of stress-related cases from 
1997 to 1999. 

A Final concern of the Panel carried over from prior annual reports is the need to 
resume active recruitment of the S&Es who will provide a foundation for developing 
NASA’s future leaders. The combination of recent downsizing and the hiring freeze 
has severely impacted NASA’s population of entrance-level S&Es. At KSC there are 
twice as many S&Es over age 60 than under 30. Although the CCA has resulted in 
some limited new hires, these positions have been filled with more senior persons 
with the higher experience levels needed to fill existing critical skills deficits, rather 
than “fresh-out” graduates. Eliminating this future leadership gap continues to be a 
challenge that NASA needs to address. Further, the recently approved hiring formula 
(one new hire for every two departures) continues the downsizing at the OSF 
Centers. 


48 


Ref: Finding#2 


In recent years, the Panel has expressed concern over the effect that downsizing and 
the transition of NASA responsibilities to contractors has had on the development of 
highly experienced and knowledgeable senior managers within NASA. As the NASA 
workforce shifts its focus to providing “insight” of contractor performance, the 
opportunities to acquire essential “hands-on” knowledge and experience will 
decline. This decline potentially can inhibit the ability of future senior managers to 
ensure the safe and effective conduct of NASA programs. 

In the past year, the Panel has learned of positive steps underway to deal proactively 
with this situation. With the complete lifting of the hiring freeze (although OSF 
Centers are still limited to one new hire for every two FTE reductions), the focus has 
officially shifted from downsizing to “revitalization” of the workforce. Training bud- 
gets have been increased across NASA. Travel money is more readily available to 
permit employees to travel to training sites. Training initiatives, such as the Academy 
of Program & Project Leadership (APPL), are developing tools to strengthen project 
management skills of individuals and teams. The CADRE-PM program will make 
developmental resources available to future leaders. These are needed and worth- 
while initiatives. 

The Panel has also found that the current impact of these training efforts is limited. 
From the perspective of the Field Centers, their objectives are applauded but the 
training programs have yet to achieve a significant impact. The current workload 
leaves little time for training.The difficulty of capturing and preserving the technical, 
hands-on knowledge and experience needed by future senior managers is also 
acknowledged. It was pointed out to the Panel that it is a lot easier to train managers 
than it is to develop leaders. There is no substitute for the challenges associated with 
direct, working experience in this leadership development process. 

Accordingly, NASA and its contractors, especially USA, must continue to seek various 
innovative working arrangements that can provide the challenges and opportunities 
essential to building competent, experienced, and self-confident senior managers, 
vital components in sustaining safety and effectiveness. 


aerospace safety advisory panel 


B. SPACESHUTTLEPROGRAM 


Ref: Finding#3 

A Space Shuttle Program Manager’s Review (PMR) held in August 1999 concentrated 
on current process change control activities and solicited improvements that could 
be made to achieve commonality across the program. It was noted that some process 
integrity audits are being conducted, as a part of compliance audits at several sub- 
contractor tier levels, supplemented by face-to-face visits with subcontractors by 
prime contractors. A significant outcome of the PMR was to drive toward applying 
commonality of process change control across the program as a whole. The PMR rec- 
ognized the need for a message to individual employees that process control is a 
critical activity in maintaining Space Shuttle safety. The Panel has participated with 
NASA and USA in visiting a sample of lower tier subcontractors on the program. 
Some of these subcontractors were small shops with less than 50 employees. It was 
encouraging to find that these subcontractors were keenly aware that their product 
was to be used on human space flight vehicles, and that conformance to the proce- 
dures and requirements specified was mandatory in order to maintain Space Shuttle 
performance and reliability. 

For example, in consonance with the PMR, Thiokol had already 7 implemented a pro- 
gram of Process/Product Integrity Audits (PPIA). These are line-by-line self-audits of the 
procedures which implement a process to insure that the intent of the procedure is 
understood and workable. That review is conducted by the Thiokol users and owners 
of the process with NASA participation. Thiokol has encouraged their lower tier sub- 
contractors to conduct this same type of audit and has received favorable results. 

Thiokol has also begun to apply the Failure Modes and Effects Analysis (FMEA) disci- 
pline to their manufacturing processes. These process FMEAs have identified 
improvements which are yielding a significant reduction in the number of hardware 
discrepancies. This activity and the PPIA methodology, is applicable to the other con- 
tractors on the Space Shuttle program, and its implementation should be encouraged. 


50 


Ref: Finding#4 


As noted in last year’s report, there are still many “deviations” and changes in the 
build paper and procedures not yet incorporated in the work paper. Working with 
obsolete and/or incorrect work paper is both inefficient and potentially hazardous 
to personnel and to mission success. There have also been several processing inci- 
dents during the year that were traced at least in part to poor paperwork or 
inadequate paperwork traceability. 

USA has undertaken promising paperwork improvements including reformatting of 
the “procedures” to include extensive use of graphics and digital photography. This 
should improve the comprehensibility of the instructions and reduce ambiguities. 
Progress towards the completion of this work has been very slow. Although USA has 
attempted to communicate the objectives and nature of the proposed changes in 
format and content to the workforce, many of the “hands-on” personnel have yet to 
see any of the products of the program. Changes to work instructions must be given 
higher priority by both NASA and USA in a coordinated, systematic effort. This will 
be even more important as the launch rate increases to accommodate the Space 
Station program. 

While the paperwork improvement program is vital for the long-term effectiveness 
of standard launch preparations and operations, there are non-standard situations 
that demand extra attention and care. For example, the wiring inspection of all the 
Orbiters required rapid and extensive generation of new work instructions. Careful 
review of the instructions must be made before implementation, and a system for 
correct and rapid verification of the validity of proposed changes prior to incorpo- 
ration must be established. 


aero space safety advisory panel 


Ref: Finding#5 


Most of the facilities, ground support equipment (GSE), and specialized test and 
checkout devices used to prepare the Space Shuttle for launch are 20 or more years 
old. While some Space Shuttle components have been upgraded, the equipment used 
to check them out or repair them is often still the original. This forces dependence 
on equipment and facilities that may be approaching obsolescence and may be aging 
to the point of becoming unreliable. 

To date, corrective maintenance has been good, and preventative actions have been 
sufficient to forestall major problems. It is unlikely, however, that all of the key facil- 
ities, GSE, and test equipment can continue to be made available indefinitely without 
either total replacement or at least upgrading key subsystems or components. 

A comprehensive plan to carry the vital components of the Space Shuttle infrastruc- 
ture across the expected service life of the program has yet to be prepared. Such a 
plan is needed so that resources can be allocated across multiple years to ensure that 
all needed improvements and replacements can be executed in a timely manner. The 
plan should encompass all of the infrastructure and equipment needed by the Space 
Shuttle at all relevant NASA Centers. It should also detail specific actions, schedules, 
and budget needs so that there is a clear roadmap to prevent the loss of critical capa- 
bilities. 


52 


Ref. Finding#6 


The NASA and USA workforces at the Kennedy Space Center (KSC) have been down- 
sizing for several years. Further staff reductions are planned to meet arbitrary staffing 
targets set almost five years ago. Coupled with retirements and unplanned staff 
departures, this downsizing has led to critical skills shortages among the personnel 
needed to prepare and launch the Space Shuttle. While requirements for processing 
have been reanalyzed and reduced somewhat, they have not fallen enough to com- 
pensate fully for the loss of personnel. 

In recognition of the need to restore launch processing capability after the staff down- 
sizing, USA has initiated a series of productivity enhancements intended to process 
and launch more Space Shuttles with a smaller staff. These initiatives include items 
such as the introduction of new software to automate tasks previously accomplished 
manually, revised scheduling methods, and more standardized w r ork instructions. 

The reduced capacity to process and launch Space Shuttles has not presented an 
operational or safety problem over the past two years as flight rates have been low, 
and intervals between flights have been quite long. Future manifests place far 
greater demands on the launch processing system. In particular, the ISS construction 
sequence requires launching the 3A, 4A, and 5A increments at approximately one- 
month intervals. This is an effective launch rate of 12 per year. A launch rate of this 
magnitude will likely cause problems for both NASA and USA unless their personnel 
resources are augmented. 

Although promising in the long term, USA productivity initiatives have yet to mature 
to the point where they can compensate for the loss of personnel. One of the prob- 
lems is that the same experienced people who are the prime team for launch 
processing are needed to develop, test, and implement the productivity enhance- 
ments. This further increases their workload and delays the time when the initiatives 
will be on-line. 

In light of this situation, it seems prudent not to rely solely on productivity enhance- 
ments to meet increased flight rates. NASA and USA should increase staffing and/or 
rearrange the Space Shuttle flight manifest to ensure that sufficient trained and expe- 
rienced personnel are available for processing using the current procedures while 
simultaneously maintaining a core of these individuals working on productivity 
improvements. 


53 


armualreport fori 999 


aerospacesafety advisory pan el 


Ref. Finding#7 


NASA and its contractors have reduced their engineering, technician, and inspector 
workforces. This has resulted in skills shortfalls in certain areas. In addition, the antic- 
ipated Space Shuttle flight rate represents an increase in launches that will require 
USA to add staff to meet planned and unexpected processing demands. 

The demands on experienced personnel can be expected to mount as attrition con- 
tinues, the flight rate increases and the amount of non-standard processing work 
rises. The current commitment and sensitivity to safety is high, and personnel indi- 
cate they will stop if they are unsure about proceeding with operations tasks. While 
this discipline is currently in place, it will be tested more and more as the flight rate 
and inevitable schedule pressures increase. This issue was raised in the Panel’s 1998 
annual report. 

In response to the need for additional personnel with specific skills, USA has initiated 
training programs. These are applied to new hires, transfers from other skill areas, and 
as cross-training for workers who will carry multiple certifications. This is basically 
a sound approach to building a more flexible and robust skills inventory. The prob- 
lem, however, is that many Space Shuttle engineering and technical tasks are 
relatively unique in the aerospace industry. They are best learned through a combi- 
nation of training and a mentoring or apprenticeship process in which the new 
worker has the opportunity to become proficient at the task under the supervision 
of an experienced colleague. 

At present, newly trained and certified employees are not prohibited from perform- 
ing tasks alone or as the lead person bn a team. It seems only 7 prudent that the 
long-standing Space Shuttle practice of transitioning trainees into a task under super- 
vision be institutionalized as a requirement. This will ensure that everyone working 
on the Space Shuttle has both adequate training and sufficient experience to perform 
the task properly and thereby preserve the safety 7 of the system. 


It also must be noted that the training situation will become particularly difficult for 
NASA whose personnel have transitioned away from the “hands on” operations 
where most of their skills where obtained. 


54 



C. INTERNATIONALSPACESTATION(ISS)PROGRAM 
Ref: Finding#8 


The Panel has continuously supported the need for the development and procure- 
ment of a full-crew Crew Return Vehicle (CRV) for the ISS. Safe operation of the ISS 
with more than a three-person crew will not be possible until such a CRV is avail- 
able. This is stipulated in the mission operating rules. 

The present deployment plans call for a U.S. CRV with a seven-person capacity 
together with a Soyuz vehicle that is limited to three passengers. In addition, each of 
the Soyuz occupants must have an individually fitted seat liner. This limits the flexi- 
bility of return operations. 

There is an uncertain supply of Soyuz vehicles, which must be exchanged every six 
months while on orbit. The CRV procurement has been delayed. This situation could 
bring additional pressure to accelerate the vehicle and human-rating certification 
processes. This cannot be permitted. While all due haste is needed to acquire the 
CRV, there can be no shortcuts in certification and human-rating requirements if 
safety is to be maintained. 

In light of these considerations, it is essential to begin the design and acquisition 
processes for the CRV as expeditiously as possible. 


55 


annual repo rtf or 1 999 


aerospace safety advisory pan el 


Ref: Finding#9 


The hazards to personnel from radiation during space flight appear now to be well 
recognized. Also acknowledged is the need to go well beyond ALARA (“as low as rea- 
sonably achievable”) to provide proper protection for our astronauts. Inadequacies 
in our systems to detect and measure radiation fields, to monitor individual exposure, 
to construct models capable of predicting solar events, to shield vehicles and space 
suits with minimum weight penalty, to specify operating procedures that limit radia- 
tion exposure, and related topics have been identified for study and development. A 
sustained, focused, and well-supported program will be required to achieve results 
that will benefit the ISS in the near term and Mars and beyond in the longer term. 


56 



Ref: Finding#! 0 


The Russian Solid Fuel Oxygen Generator (SFOG) proposed for use on the ISS as a 
backup source of oxygen has a star-crossed history, having caused a serious fire on 
Mir. Recent tests have revealed that the Russian SFOG unit can reach temperatures 
capable of melting the steel canister, and there is a susceptibility to react to contam- 
inants. A suitable replacement system may be available/adaptable from commercial 
aviation or submarine applications. If not, NASA, perhaps in conjunction with other 
potential users, should develop a safer standby oxygen source for the ISS. 



aerospacesafety advisory pan el 


D. EXTRAVE H I C U LARACTIVITY(EVA) 


Ref: Rndings#1 1 and#1 2 

Timely and safe execution of the ISS assembly sequence will require near-perfect per- 
formance by the EVA team. Differences remain between U.S. and Russian procedures, 
some equipment and tools are still under development and must be tested, and train- 
ing must then be completed. Delays to date in the assembly sequence have been 
fortuitous; now the proposed schedule appears achievable. 

For the long-term health of NASA’s EVA activities, an aggressive R&T program is 
needed. This program could profitably focus both on near-term solutions to ISS and 
Space Shuttle mission requirements as well as on future exploration of space, e.g. a 
new spacesuit for a planetary 7 mission. 


58 


inlillllllUilill 


E. COMPUTERHARDWARE/SOFTWARE 


Ref: Finding# - ! 3 

Significant care has been taken to prevent potential security breaches in both the 
uplink and downlink for the Space Station. As with any complex system involving 
multinational contracts and relationships, it is impossible to ensure that a determined 
hacker with adequate resources and incentives could not break into the command 
link. However, it has not been possible to find a creditable scenario that would result 
in anything more serious than denial of service because of the interaction with the 
crew and all the checks and balances in the processes. 

The present ISS design does not involve encrypting the downlink from the station to 
the Moscow or Houston Mission Control Centers (MCCs).The link between the two 
MCCs is also not encoded. It would be beneficial to have an independent threat 
assessment of these links. Unfortunately, the National Security Agency (NSA) is pro- 
hibited by law from giving counsel on foreign systems. 


59 


annualreportforl 999 



aerospacesafety advisory pan el 


Ref: Findings#! 4and#1 5 


NASA’s security efforts involve finding or developing security tools, training NASA 
employees in security, conducting vulnerability testing at NASA Centers, reporting 
and recording all incidents, and developing cryptographic techniques. Several 
Centers are involved in supporting activities. An Integration Team has been formed, 
reporting to the NASA Chief Information Officer (CIO), that coordinates these activ- 
ities. One of the first things the team did was to acquire tools that help with intrusion 
detection and analysis of systems for security vulnerabilities. At one Center, over 

11.000 vulnerabilities (no actual intrusions, just ways they might have occurred) 
were detected. NASA plans to have a third party conduct a vulnerability test on each 
of the NASA Centers, a wise decision that should be pursued as rapidly as possible. 
This will take some time. In the interim, critical programs already underway should 
initiate their own third party vulnerability analyses. 

The training requirements for use of new security tools are daunting. Systems admin- 
istrators who handle dozens of different kinds of systems, program managers, and the 
users all must become familiar with and use good practices and tools. At present, 
much effort is going into development of training materials. It will be 2001 before 
they are in full swing. NASA should prioritize the training deployment so the most 
critical systems are covered as quickly as possible. 

The Public Key Infrastructure (PKI), with selectable Digital Encryption System (DES) 
or tripIe-DES encryption, will be at the core of the information technology security 
system. It is based on a two-key encryption system — one public and one private — 
for each registered user The PKI ensures information privacy, data integrity and 
signature authentication .The cost to deploy it to all NASA employees and selected 
contractors (100,000 certificates) is relatively modest. To date, NASA has purchased 

20.000 certificates. PKI is expected to be operational throughout NASA by the end 
of FY2000. Documents can be encrypted at a selectable level of security, at the dis- 
cretion of the author. It is planned that all employees will use it. Deployment on an 
experimental basis is beginning. Use of the tool is voluntary at present; even if 
required, getting all individuals to remember to comply is likely to be difficult. Also, 
licenses were obtained only for NASA employees, not NASA contractor personnel. 
This raises the concerns that it will be difficult to obtain uniform usage across all 
levels of employees and that leaving it optional to the contractors compromises the 
security that could be achieved. 


60 



Ref: Finding#! 6and#1 7 


Obsolescence of the Space Shuttle avionics suite is a key issue. Some devices and 
components will soon become unsupportable. Original Equipment Manufacturers 
(OEMs) are leaving the government markets for the commercial markets. Mission 
requirements changes in communications, instrumentation, processing, and display 
are projected to exceed the capacity of current systems, and improvements are nec- 
essary to achieve operational goals. To address these issues, NASA has established the 
Avionics Upgrade Architecture Team (AUAT) and charged it with analyzing the situa- 
tion and recommending necessary upgrades. 

One of the avionics issues that has long concerned the Panel is the General Purpose 
Computer (GPC) system. While the Panel is now comfortable that the GPC hardware 
can be maintained until 2020, improvements are necessary if it is to accommodate 
the many anticipated software changes. The AUATs analysis of the Central Processor 
Unit (CPU) and memory utilization suggests that unless something is done to off-load 
functionality or stop new increases in functionality, the GPC software will exceed 
the CPU and memory capacity by 2010. Previous efforts to limit Space Shuttle soft- 
ware growth have not been successful. The Panel believes that Space Shuttle 
software cannot be maintained within the GPC memory limits until 2020 without 
off-loading some functions. 

The AUAT has developed an excellent plan that can relieve the GPC memory prob- 
lem by moving some functions from the GPCs to new mission computers. The key 
to the effectiveness of the proposed mission computer architecture is the use of the 
existing Aerospace Ground Equipment (AGE) interface to provide a dual-ported 
memory. This would create an image of the GPC memory 7 for the mission computer 
system. When combined with the AGE interface, the mission computer system allows 
many functions to be off-loaded from the GPC. This frees up memory and CPU capac- 
ity for software expansion in the GPC. The mission computer and the use of the AGE 
are part of the Block I avionics upgrade. 

The AUATs plans call for the use of three mission computers in order to achieve redun- 
dancy. Specific functions to be off-loaded from the GPCs to the mission computers 
have yet to be determined, although display functions will be among the top candi- 
dates. Eventually, the AUAT plans to consider moving “Crit T functions to the mission 
computers. That approach concerns the Panel. It is a significant departure from the 
current configuration which has proved successful in nearly 100 flights. Extensive test- 
ing would be required to achieve equivalent confidence in such a change. 


61 


annualreportforl 999 


aerospac ©safety advisory panel' 


Ref: Finding#! 8 


The ISS program includes significant flight and test hardware and software develop- 
ment by the International Partners (IPs). Initially, maintenance of the source code 
will be accomplished under the control of the concerned IP Responsibilities for the 
longer term, however, are not clear. The long-term support of the International 
Partners with respect to software source code is essential to the safe operation of the 
ISS and the resolution of any software-related anomalies. NASA must ensure that 
agreements to provide long-term support for the ISS, especially software systems, are 
in place and adequately cover source code and anomaly resolution. 


62 


Mi! in i III iniiniflii 


F. AERO-SPACETECHNOLOGY 


Ref: Finding#! 9 

While there has been some increase in NASA investment in aviation safety, overall 
funding falls short of supporting the goals and objectives of the Nation’s aviation 
safety program. For example, examination of aging aircraft phenomena and tech- 
niques for amelioration or correction thereof have been all but terminated. Likewise, 
the effort to examine failure modes of composite structures has been significantly 
slowed. Similarly, efforts at finding new methods of non-destructive testing have 
been given low priority. Tire research has been abandoned and innovative cockpit 
visibility system development markedly set back. While some of these efforts remain 
the subjects of individual laboratory research, none benefit from the prestige and vis- 
ibility brought by the status of such projects as the High Speed Research program 
and the Advanced Subsonic Technology aircraft. Projects such as these drive the 
smaller efforts which, in turn, are the keys to enhanced aviation safety. NASA should 
identify those elements of the eliminated programs which had the potential to 
improve aviation safety 7 and cover them elsewhere. 


63 


annualreportforl 999 



aerospacesafetyadvisorypanel 


Ref: Finding#20 


The Panel is concerned that there is inconsistent definition of Center Directors’ 
responsibility for and role in aviation flight readiness, flight clearance, and aviation 
safety review board matters. In certain instances, critical decisions are left to rela- 
tively junior NASA employees or to contractors. The Dryden Flight Research Center 
(DFRC.) has an outstanding system, both on paper and in practice. This system should 
be used as a model by all other Centers and Center Directors to ensure proper 
involvement in aviation flight readiness, flight clearance, and aviation safety review 
board matters. 


64 



Ref: Finding#21 


The responsibility for safety between NASA and the contractor when contractor air- 
craft and payloads are utilized is not well defined. Often, the rationale is that since 
contractor aircraft are operated under FAA certification procedures, NASA involve- 
ment is not required. The Panel does not agree with this rationale. In the event of an 
incident, NASA (or other Government personnel) could be charged with responsi- 
bility and, in any event, it will be a “NASA incident” One example is the recent 
Perseus Unoccupied Air Vehicle (UAV) accident wherein the flight termination 
system (FTS) failed. It had first been assumed that the design and implementation of 
the system were the contractor’s responsibility, but when the FTS failed and the air- 
craft left the range, it became a Government problem. A potential for a similar, and 
even more disastrous, problem is in the Stratospheric Observatory for Infrared 
Astronomy (SOFIA) program. A central and precise definition of responsibility is 
needed. DFRC, NASA’s Center for Flight Excellence, now has an excellent procedure 
which could serve as the model for better defining these responsibilities for all of 
NASA. 


aerospacesafety advisory pan el 


Ref: Findings#22,#23 i and#24 


The SOFIA project is still in its early phases, thus the Panel has no immediate safety 
concerns. There are potential problems in the long-term, however For example, 
the project is a virtual hodgepodge of overlapping functions and responsibilities, 
ostensibly pointed toward flight of a large telescope some years in the future. NASA- 
operated Moffett Federal Airfield will be the home base of SOFIA operations, and the 
Ames Research Center (ARC) has responsibility for the program. The prime contrac- 
tor under Ames’ aegis is Universities Space Research Association. United Airlines 
(UAL) and Raytheon Corporation are supporting contractors. Currently underway is 
a five-year process for acquisition, modification, refurbishment, and certification of a 
Boeing 747SP aircraft. Airworthiness certification, reportedly, is the responsibility of 
both NASA and the Federal Aviation Administration (FAA) under Federal Air 
Regulation (FAR), Part 25, Supplemental Type Certificate. Maintenance will be gov- 
erned by FAR Part 121. Operations will be governed by FAR Part 9 1 * At some yet 
undetermined point, the NASA Ames Airworthiness and Flight Safety Review Board 
process will be implemented. This process had been all but abandoned with the 
transfer of most flight programs from Ames to DFRC. It is thus in need of early reju- 
venation and exercise. Since UAL crews will operate the aircraft, UAL is also expected 
to conduct safety reviews. Meanwhile, as modifications to accommodate the tele- 
scope proceed, the affected flight operations community has been ignored. 
Consequently, not only are inappropriate procedures liable to become a fait accom- 
pli, but also flight system updates desirable for reducing workload and risk could 
well be overlooked. Some examples are flight management, navigation, and safety sys- 
tems, such as the latest Traffic Alerting and Collision Avoidance System (T-CAS) and 
Reduced Vertical Separation Minima (RVSM) qualification. Finally, and most impor- 
tantly, NASA and UAL flight operations personnel must be made a part of the SOFIA 
team and participate in all relevant matters beginning immediately. 


66 





IV. Appendices 

r 






IV. Appendices 


AppendixA 


AEROSPACESAFETYADVISORYPANELMEMBERSHIP 


CHAIRMAN 

MR. RICHARD D. BLOMBERG 
President 

Dunlap and Associates, Inc, 


MEMBERS 

MS. YVONNE C. BRILL 
Aerospace Consultant 
Former Space Segment Engineer 
INMARSAT 


DEPUTY CHAIRMAN 

VADM ROBERT F. DUNN, 

USN (RET) 

Aerospace Consultant/Author 
Former Deputy Chief of 
Naval Operations Air Warfare 
Pentagon 


MR. KENNETH G. ENGLAR 
Aerospace Consultant 
Former Chief Engineer 
Delta Launch Vehicle 
McDonnell Douglas Corporation 

DR. GEORGE J. GLEGHORN 

Aerospace Consultant 

Former Vice President and Chief Engineer 

Space & Technology Group 

TRW, Inc. 

DR. SEYMOUR C. HIMMEL 
Aerospace Consultant 
Former Associate Director 
NASA Lewis Research Center 

VADM BERNARD M. KAUDERER, 

USN (RET) 

Aerospace Consultant 

Former Commander Submarine Forces 

U.S. Atlantic Fleet 


71 


annualreportforl 999 


aerospacesafety advisory pan el 


MEMBERS (continued) 


DR. NORRIS J. KRONE 
President 

University Research Foundation 

DR. RICHARD A. VOLZ 
Royce E.Wisenbaker Professor 
of Engineering 
Former Head 

Department of Computer Science 
Texas A&M University 


72 



CONSULTANTS 


EX-OFFICIO MEMBER 


MR. ROBERT L. GIBSON 
First Officer 
Southwest Airlines 

Former Space Shuttle Commander 

MS. SHIRLEY C. MCCARTY 
Aerospace Consultant 
Former Principal Director 
Software Engineering 

The Aerospace Corporation 

MR. NORMAN R. PARMET 
Aerospace Consultant 
Former Vice President 
Engineering 
Trans World Airlines 

ADM J. PAUL REASON 
USN (RET.) 

Aerospace Consultant 
Former Commander in Chief, 
U.S.Atlantic Fleet 

MR. ROGER D. SCHAUFELE 
Professor, Aircraft Design 
California State University 
Former Vice President 
Engineering 

Douglas Aircraft Company 

MR. ROBERT B. SIECK 
Aerospace Consultant 
Former Director of Shuttle 
Processing 

NASA Kennedy Space Center 

DR JOHN G. STEWART 
Partner 

Stewart, Wright & Associates, LLC 


MR. FREDERICK D. GREGORY 
Associate Administrator for 
Safety and Mission Assurance 
NASA Headquarters 

STAFF 

MS. SUZANNE E. HILDING 
Executive Director 
NASA Headquarters 

MS. SUSAN M. BURCH 
Staff Assistant 
NASA Headquarters 

MS. VICKIE B. SMITH 
Secretary 

NASA Headquarters 


73 


annualreport fori 999 



aerospacesafety advisory panel 


AppendixB 


NASARESPONSETOANNUALREPORTFOR1998 


SUMMARY 

NASA responded on July 19, 1999, to the “Findings and Recommendations” from the 
Annual Report for 1998. NASA’s response to each report item is categorized by the 
Panel as “open, continuing, or closed.” Open items are those on which the Panel dif- 
fers with the NASA response in one or more respects. They are typically addressed 
by a new finding, recommendation, or observation in this report. Continuing items 
involve concerns that are an inherent part of NASA operations or have not pro- 
gressed sufficiently to permit a final determination by the Panel. These will remain a 
focus of the Panel’s activities during 2000. Items considered answered adequately are 
deemed closed. 

Based on the Panel’s review of the NASA response and the information gathered 
during the 1999 period, the status of the recommendations made in the Annual 
Report for 1998 is presented on the following pages. 


74 



Finding/Recommendation #1: Continuing - Despite high-level attention to 
workforce issues within NASA, a lifting of the hiring freeze, and some relief to OSF 
centers, several realities remain: continuing critical skill deficits in many locations, a 
continuing (although stretched out) downsizing at the OSF centers, and a seeming 
incapacity to hire young “fresh-out" engineering talent. 

Finding/Recommendation #2: Continuing - Work pressures, coupled with 
downsizing and critical skills shortages, continue to make training and cross-training 
initiatives difficult to undertake fully in some situations, resulting in a work environ- 
ment that stretches the capabilities of persons assigned to particular jobs. 

Finding/Recommendation #3: Continuing - Project management training 
resources are being strengthened across NASA.These initiatives are generally of high 
quality and are welcomed in the field centers. However, this intensified effort is still 
in its early stages and has achieved limited impact in the field. 

Finding/Recommendation # 4: Continuing - NASA’s response is very encourag- 
ing. The intent to look beyond standard metrics is a good one. The expansion of the 
definitions related to close calls also suggests a productive shift in thinking. 
Nevertheless, at this point only plans exist. 

Finding/Recommendation # 5: Open - Although the NASA response concurs 
with the recommendation, the supporting material is quite vague. Metrics have been 
developed and plans are in place, but there is no mention of how much of the paper 
will be addressed or on what timetable.There is a suggestion that new initiatives will 
solve the problem, but no concrete evidence. 

Finding/Recommendation #6: Closed - Logistics recognizes the problem areas 
and is working the problems. 

Finding/Recommendation #7: Closed - A comprehensive response. 

Finding/Recommendation # 8: Closed - The response is basically a straightfor- 
ward agreement with the recommendation. 

Finding/Recommendation #9: Closed - All hardware and software for MEIT has 
been certified. 

Finding/Recommendation #10: Open - NASA’s response states that the primary 
purpose of the simulations is to check out the interfaces to other devices being 
tested in the MEIT. This is a different issue than the fidelity of the overall simula- 
tion which was the topic addressed in the finding and recommendation. 


75 


annual repo rtf orl 999 


aerospacesafetyadvisorypanel 


Finding/Recommendation #11: Closed - The Flight Crew Operations Directorate 
agrees that each flight crew should be actively involved in testing early in the hard- 
ware development and crew training cycles. 

Finding/Recomxnendation #12: Open -The CRV procurement has been delayed 
by lack of funding. In addition, it appears that the Soyuz program is behind schedule 
and may not be able to supply the vehicles as previously agreed. 

Finding/Recommendation #13: Open - The plans for CRV certification and 
human-rating are not yet available for assessment. 

Finding/Recommendation #14: Continuing - While NASA’s response reflects a 
significantly heightened sensitivity to the issue of radiation protection, the various 
radiation protection efforts are just beginning. 

Finding/Recommendation #15: Closed - The NASA response indicates an appre- 
ciation for the importance of supporting research in radiation health physics. 

Finding/Recommendation # 16: Closed - The issue is minor and has been surfaced. 

Finding/Recommendation #17: Closed - A satisfactory response. 

Finding/Recommendation #18: Closed - The justification for not acquiring addi- 
tional U.S. SAFER units is technically reasonable. 

Finding/Recommendation #19: Closed - A satisfactory response. 

Finding/Recommendation #20: Continuing - NASA responds that the value of 
the EVA R&T Program is recognized, but implies that the scope of the program is 
budget constrained. 

Finding/Recommendation #21: Closed - A satisfactory response. 

Finding/Recommendation #22: Continuing - The NASA efforts to qualify a 2- 
hour pre-breathe protocol are underway. 

Finding/Recommendation #23: Closed - Activity regarding EMU shielding has 
been initiated. 

Finding/Recommendation #24: Closed - The NASA response justifies sustaining 
the EVA Ground Rule regarding simultaneous EMU/ORLAN EVA operations. 


76 


Finding /Recommendation #25a: Continuing - NASA has misunderstood the 
thrust of the Panel’s comment relative to redundancy in the initiation function for 
the SAFER. There was no implication that two identical, redundant initiator systems 
should be provided, but rather that an alternate redundant system should be consid- 
ered. 

Finding/Recommendation #2 5b: Open - The finding was addressed to all NASA 
centers that use NASA Standard Initiators (NSIs).The reply appears to be limited to 
JSC and is adequate for that Center. The item should not be considered closed until 
other users of the NSI have been canvassed. 

Finding/Recommendation #25c: Continuing -Testing with non-flight-type hard- 
ware was called for and used despite being contrary to generally accepted practice. 
It is commendable that the new circuit was properly tested with flight-type hard- 
ware, but this does not provide assurance that future testing will follow this example. 

Finding/Recommendation #26: Closed - NASA indicates that the FAA is engaged. 

Finding/Recommendation #27: Continuing - The NASA plan appears solid; the 
Panel is awaiting the results of software verification and other testing. 

Finding/Recommendation #28: Continuing - The X-33 and X-34 programs are 
still maturing, and the range safety 7 plans have yet to be definitized. 

Finding/Recommendation #29: Continuing - NASA is taking steps in the right 
direction on the Space Shuttle GPC issues, but the program is not yet funded. 

Finding/Recommendation #30: Closed — NASA’s response states that they do not 
need to generate an I-load dependency matrix because the dependencies are verified 
as part of the certification process. 

Finding/Recommendation #31: Closed — NASA has concurred with this recom- 
mendation and undertaken actions to follow the recommendation to provide a more 
robust lockout capability in CLCS. 

Finding/Recommendation #32: Continuing — NASA concurs with the recom- 
mendation and has begun an action to deal with it, but it will take significant time to 
complete. 

Finding/Recommendation #33: Closed — NASA concurs and has committed to 
follow this recommendation prior to flight of the ISS MMIJ. 


77 


annualreportforl 999 



aero spacesafety advisory panel 


Finding/Recommendation #34: Continuing — NASA has stated that the Russians 
will provide their source codes, but that other IPs will not because doing so would 
compromise their proprietary agreements with their contractors. Thus, the problem 
remains. 

Finding/Recommendation #35: Continuing - NASA concurs with the recom- 
mendation and has initiated action to follow it. Results will take some time. 

Finding/Reconunendation # 36 : Closed — NASA states that this is already being 
done utilizing an Integrated Process Team approach. 

Finding/Recommendation #37: Closed - NASA has concurred with the recom 
mendation and taken action to incorporate a more secure uplink. 


78 



National Aeronautics and 
Space Administration 

Office of mo Administrator 

Washington, DC 20546-0001 




JUL I 9 1999 


Mr. Richard Blomberg 
Chairman 

Aerospace Safety Advisory Panel 
1010 Summer Street 
Stamford, CT 06905-5503 


Dear Mr. Blomberg: 

In accordance with your request after our February 4, 1999, meeting, enclosed is 
NASA’s response to the Section II, “Findings and Recommendations,” from the 
Aerospace Safety Advisory Panel (ASAP) Annual Report for 1998. 

The ASAP* g efforts in assisting NASA to maintain the highest possible safety 
standards are commendable. Your recommendations are highly regarded and continue to 
play an important role in risk reduction in NASA programs. 

We thank you and your Panel members and consultants for your valuable 
contributions. ASAP recommendations receive the full attention of NASA senior 
management. In particular, I expect that NASA’s Office of Safety and Mission Assurance 
will track resolution of these issues as part of their role in independent assessment. 

We welcome the continuance of this beneficial working relationship with the Panel. 

Sincerely, 



Daniel S. Goldin 
Administrator 


Enclosure 


79 


annual re port fori 999 




1998 

AEROSPACESAFETY 

ADVISORYPANELREPORT 

Findings, Recommendations, andResponses 


Finding#1 

Budget and personnel ceiling constraints on the hiring of engineers, scientists, and 
technical workers are moving NASA toward a crisis of losing the core competencies 
needed to conduct the Nation’s space flight and aerospace programs in a safe and 
effective manner 

Recommendation#1 

Provide NASA’s human space flight Field Centers, particularly KSC, JSC, and MSFC, 
with the budgetary resources and administrative flexibility needed to strengthen 
their human resource capabilities. 

Response 

NASA concurs with the recommendation; and, we fully recognize the near heroic 
efforts at each of our installations that have brought us within striking distance of our 
downsizing targets. 

At the beginning of fiscal year 1993, the NASA employment level was 24,900 FTE. As 
a result of the March 1993 Executive Order to reduce Federal Civilian FTE by 
100,000, the NPR recommendations and additional OMB directed cuts in 1994, NASA 
received an out-year target of 20,906. Additional budget reductions occurred that 
required us to initiate the Zero Base Review, which was completed in 1995. The ZBR 
recommended an FY 2000 FTE level of 17,488. Since that time we have carefully 
managed an FTE reduction to a planned 18,545 FTE for FY 99 and 17,970 for FY 00. 
Our final ’‘go to" target is now 17,574 FTE for FY 04. Currently 7 of our 10 Centers 
are at or below our lowest "go to" numbers. To NASA’s credit, our accomplishments 
were achieved without resort to the ravages of a reduction-in-force. Voluntary losses 
to date include in excess of 4,500 buyouts, 1,300 early outs, and more than 800 inter- 
center transfers. 


81 


an nualre port fori 999 



aerospacesafetyadvisorypanel 


As a result of the downsizing challenges, we provided relief to the OSF Centers in the 
FY 00 budget process as follows: FY 99-153 FTE; FY 00-110 FTE; FY 01-103 FTE; 
FY 02-59 FTE; and, FY 03-68 FTE. This relief has enabled the innovative use of tem- 
porary and extended term appointments, as well as increasing the number of 
permanent hires available to Fill critical skill positions. In addition, we are currently 
reviewing their request for additional relief, as identified in the recent Core 
Capability Assessment (CCA). OSF management has proposed several augmentation 
and/or hiring models that address both short and long term needs regarding replace- 
ment and enhancement of critical workforce competencies. One objective of the 
current CCA review is to help chart a strategy that will provide the OSF Centers with 
the requisite flexibility to attract and retain the core competency talent pool neces- 
sary to ensure safe mission and program success. 


82 



Finding#2 


Shortfalls in workforce training within both NASA and USA, caused by downsizing 
and the related difficulty of hiring new people to fill skill shortages, can jeopardize 
otherwise safe operations. 

Recommendation#2 

NASA and USA should review critical skills training and certification requirements 
and institute programs to ensure the full proficiency of the workforce and the safety 
of the products being released. 

Response 

NASA concurs in the recommendation and, in cooperation with USA, has already 
reviewed certification requirements for flight controllers, training instructors, and 
other key operating positions. Training plans and certification requirements for criti- 
cal positions have been documented and maintained. For example, the management 
role in launch countdown and landing is supported by a well-defined training and 
certification plan. NASA and its contractors are continually reviewing critical skills 
training and certification requirements to ensure controls are in place to validate and 
ensure employee proficiency. Quality initiatives are being developed to provide 
improved processes for cross training, automated training tools, inline automated cer- 
tification validation, and enhancements in the closed loop verification of operators 
and system operational performance. 

Meanwhile, training capacity for new employees, both NASA and contractor, has been 
increased through intensive simulator training at a new USA "training academy" A sat- 
uration-type training environment has been designed to improve training at the 
beginning of the regular certification process and produce employees better quali- 
fied for critical process work. 

In training and orientation programs, NASA emphasizes the priority of safety and the 
responsibility of employees to voice their concerns about inadequate assurances of 
safe products. 


83 


annual repo rtf or 1 999 


aerospacesafety advisory pan el 


Finding#3 


The combined effect of workforce downsizing, the recent hiring freeze, and the 
SFOC transition, especially at KSC, has raised the possibility that NASA senior man- 
agers in the future will lack the necessary hands-on technical knowledge and in-line 
experience to provide effective insight of operations. 

Recommendation#3 

NASA should develop and promulgate training and career paths, with a special focus 
on providing hands-on technical knowledge and experience, so that NASA’s future 
senior managers will possess the range of skills and experience required for effective 
insight of the SFOC. 

Response 

NASA concurs in the recommendation and is intensifying and refocusing its efforts 
in training and in support of career development at all levels. 

At the operating level, NASA managers are instructed to plan and to take advantage of 
all opportunities to obtain operational experience through audit, surveillance, and 
other interfaces to provide hands-on experience to NASA personnel. These include, in 
addition to the simulator training discussed in the response to Recommendation #2: 

• co-op assignments partnered with contractor systems engineers, 

• direct observation or procedure review of critical tasks 

• management of Shuttle launch countdown, launch, and landing/recovery 

• participation in flight and ground systems development and enhancements 

• processing mid-decks, utilization payloads, and partial Shuttle payloads 

• participation in contractor testing, and anomaly resolution 

• ensuring adequately designed, tested, and assembled hardware 

Additionally, employees are provided cross training and specialized training as 
needed and strongly encouraged to take advantage of program related training. 


84 


The key to developing future generations of senior managers is to provide hands-on 
experience, with progressively more responsible assignments through one’s career. 
Both NASA and the contractors continually seek improvements in the succession 
planning and preparations for the next generation of supervisors and managers. 
Special consideration is given to assuring that broad training and hands-on opera- 
tional/technical job assignments and opportunities are consciously addressed for 
promising candidates for future senior management positions. NASA’s training phi- 
losophy also emphasizes on-the-job work experiences supplemented by classroom 
instruction, participation in outside academic programs and industry through assign- 
ments in such private sector organizations as Boeing, Newport News Shipbuilding, 
and USA. 

At the agency planning level, the training budget has provided for an increase of 20% 
for the Office of Space Flight from FY1997 through FY2000. Current agency Program 
Operating Plan (POP) guidelines call for funding training at 2-3.25% of salary 7 levels, 
an extremely generous ratio for government and rivaling progressive private sector 
organizations. 

The NASA Academy" of Program and Project Leadership (APPL) is building on ten 
years of educational and developmental activities and is striving to facilitate the flow 
of current knowledge and techniques to the full engineering and science workforce. 
APPL is making available information and automated tools on-line and seeking to 
develop expert systems. APPL is also working directly to support intact teams with 
information and techniques and attempting to better organize case studies and 
archives into a more effective knowledge base. 

The APPL program is also adding an Accelerated Leadership Option to the Project 
Management Development Process (PMDP) which will enable NASA engineers to 
obtain a Master’s of Science in Engineering and Management degree from MIT APPL 
is continuing and expanding a multifaceted program of classroom work, develop- 
mental work assignments, and dissemination of information and guidance. 

Finally, NASA is well along in an update of its Leadership Development Model; docu- 
menting the technical, managerial, and executive competencies required to direct 
the work of the agency through the foreseeable future. This model will guide the 
scope and emphasis of training and development programs, including a new 
approach to succession planning, to ensure that NASA’s leaders at all levels have the 
knowledge and skills to meet their responsibilities. 


85 


annualreportforl 999 


aerospacesafetyadvisory panel 


Finding#4 


It is often difficult to find meaningful metrics that directly show safety' risks or unsafe 
conditions. Safety risks for a mature vehicle, such as the Space Shuttle, are identifiable 
primarily in specific deviations from established procedures and processes, and they 
are meaningful only on a case-by-case basis. NASA and USA have a procedure for find- 
ing and reporting mishaps and "close calls" that should produce far more significant 
insight into safety risks than would mere metrics. 

Recommendation#4 

In addition to standard metrics, NASA should be intimately aware of the mishaps and 
close calls that are discovered, followup in a timely manner, and concur on the rec- 
ommended corrective actions. 

Response 

NASA agrees with the recommendation. In addition to standard metrics, NASA is inti- 
mately aware of the mishaps and close calls and is directly involved in the 
investigations and approval of corrective actions. Current requirements contained in 
various NASA Center and contractor safety plans include procedures for reporting of 
mishaps and close calls. These reports are investigated and resolved under the lead- 
ership of NASA representatives with associated information being recorded and 
reported to NASA management. NASA is intimately aware of and participates in the 
causal analysis and designation of corrective action for each mishap. Additionally, 
NASA performs trend analysis of metrics as part of the required insight activities. 


Definitions relating to "close call" have been expanded to include any observation or 
employee comment related to safety improvement. Close call reporting has been empha- 
sized in contractor and NASA civil servant performance criteria and a robust management 
information system is being incorporated to monitor and analyze conditions and behav- 
ior having the potential to result in a mishap. Various joint NASA/contractor forums exist 
to review, evaluate, and assign actions associated with reported close calls. As an exam- 
ple, the KSC NASA Human Factors Integration Office leads the NASA/Contractor Human 
Factors Integrated Product Team QPT) in the collection, integration, analysis, and dissem- 
ination of root cause and contributing cause data across all KSC organizations. The KSC 
Human Factors 1PT is also enhancing the current close call process which includes track- 
ing of mishaps with damage below $ 1000 and injuries with no lost workdays.The SSP has 
revised it’s Preventive/Corrective Action Work Instruction to include mandatory quarterly 
review of close call reports. Several initiatives are in place to increase aw T areness of the 
importance of close call reporting and preventive/corrective action across the SSP and 
the supporting NASA Centers and contractors. 


86 



Under this new approach to close call reporting, a metric indicating an increase in 
close call reporting and preventive action is considered highly desirable as it indi- 
cates an increased involvement by the workforce in identifying and resolving 
potential hazards. Care is taken in over emphasizing the number of close calls 
reported as a performance metric to prevent reluctance in reporting. NASA is work- 
ing hard to shift the paradigm from the negative aspects of reporting close calls 
under the previous definition to being a positive aspect of employee identification 
of close calls under the new definition. 


87 


annual rep ortforl 999 



aerospacesafetyadvisorypanel 


Finding#5 


A principal cause of Space Shuttle processing errors is incorrect documentation 
("paperwork"). 

Recommendation#5 

NASA and USA must place increased priority on determining error sources, causes, 
and corrective actions for inadequacies in the documentation on which Space 
Shuttle processing is based and develop a management system that drastically 
reduces the time that it takes to incorporate paperwork changes. 

Response 

NASA concurs with the recommendation. NASA and USA have established metrics to 
identify the types of errors and error sources in the processing documentation. 
During daily interface, NASA and USA discuss these metrics and perform causal analy- 
sis to identify the need for corrective action. For critical procedures, USA has 
implemented a check and balance in the work instruction generation process to 
increase the procedure quality before it is worked. Additionally, NASA and USA have 
an initiative to reduce the complexity of work procedures, increase the procedure 
standardization, and reduce the time for paperwork generation for work not requir- 
ing engineering disposition. 

More importantly, USA is developing, as a high priority, a paperless system. 
Specifically, the Ground Operations organization at KSC is implementing an inte- 
grated on-line system that ensures total process rigor and mitigates the potential for 
human error in accomplishing space flight work. This system incorporates recog- 
nized "best practices" for authoring work documents including on-line review and 
approval, and the ability for authors to automatically update and incorporate work 
document deviations. Required checks and balances are inherent in the system to 
maintain the integrity, safety and quality of both flight and ground work performed. 
Work documents will clarify user understanding by incorporating enhanced expla- 
nations with in-line graphics, sound and video where required. The goal of this 
activity is to ensure that a properly certified person, utilizing the right work instruc- 
tions, has safely accomplished all required work. 


88 



Finding#6 


While spares support of the Space Shuttle fleet has been generally satisfactory, repair 
turnaround times (RTAT's) have shown indications of rising. Increased flight rates 
will exacerbate this problem. 

Recommendation#6 


Refocus on adequate acquisition of spares and logistic system staffing levels to pre- 
clude high RTAT’s, which contribute to poor reliability and could lead to a mishap. 

Response 

NASA concurs with the recommendation. During calendar year 1998, RTAT’s for both 
the NASA Shuttle Logistics Depot and the original equipment manufacturer fluctu- 
ated, but at year’s end, the overall trend was downward through concerted NASA and 
vendor efforts. These efforts are aimed at providing better support at the current 
flight rate and for higher flight rates in the future. Logistics is working to find innov- 
ative ways to extend the lives of aging line replaceable units (LRU’s) and their 
support /test equipment. Logistics has initiated the Space Council (an industry group 
with 1 1 other company executives addressing such topics as verification reduction, 
ISO compliance, and upgrades) to assure the supplier base continues its outstanding 
support to the SSP Examples of LRU’s being evaluated and enhanced include: Star 
Trackers, auxiliary power units, inertial measurement units, multifunction electronic 
display system (MEDS), Ku-band, orbiter tires, and manned maneuvering units. 


NASA/KSC Logistics and USA Integrated Logistics have made progress on a long-term 
supportability tool. The tool will provide information, including historical repair 
trend data for major LRU’s, RTAT’s, and "what if’ scenarios based on manipulation of 
factors (e g. , flight rate, turnaround times, loss of assets, etc.) to determine their effect 
on the probability of sufficiency. This will be a tool, not a substitute, for human ana- 
lytical decision making. 


89 


annual re port fori 999 


aerospacesafety advisory panel 


Finding#7 


NASA aircraft used for both Space Shuttle operations and astronaut training are increas- 
ingly out of date and, in several respects, may be approaching the unsafe.This is noticeably 
so in the case of the Shuttle Training Aircraft (STA) andT-38 aircraft. 

Recommendation#7 

Continue to execute and accelerate as much as possible the current plans for the mod- 
ernization and safety assessment of astronaut training aircraft. 

Response 

NASA believes that the current aircraft used as astronaut training aircraft are maintained 
in a safe condition. NASA remains committed to safe operation of all the training aircraft. 
Measures to ensure that the NASAT-38’s and STA’s used for astronaut training are main- 
tained in a safe configuration and in good material and structural condition are in place. 
A summary of current efforts is as follows: 


T-38: NASA’s approach to maintaining and modernizing the T-38’s is two-fold. The first 
approach consists of maintaining and upgrading the fleet in consonance with the USAF 
programs. (The USAF Air Training Command plans to use the T-38 for flight training to 
2020 and beyond.) This includes engine component upgrades, replacement of structural 
members, including entire wings, and comprehensive nondestructive inspections at pre- 
scribed intervals. Additionally, a 1995 NASA contracted limited damage tolerance 
assessment study confirmed that the aircraft structures can be maintained with standard 
inspection criteria at intervals. The second approach encompasses NASA unique pro- 
grams that are tailored to the specific use of the NASA T-38’s for the astronauts’ space 
flight readiness training. NASA unique programs include: 

1. An Avionics Upgrade Program which modernized the communications and naviga- 
tion systems, replaced high failure rate and outdated avionics, and added a weather 
radar, a flight management system, an altitude alerter, and modem controls and dis- 
plays. This program has been completed on the T-38 operational fleet and has 
resulted in a redesignation of the USAFT-38A to the NASAT-38N. Intended follow-on 
avionics enhancements, as they become practical and economically acceptable for 
the T-38N, includes modification to a Global Positioning Satellite (GPS>based flight 
management system and the incorporation of the terminal collision avoidance 
system. 

2. Modified engine inlets to increase the takeoff performance and the margin of safety 
of the aircraft over the standard configuration. A successful flight test program on the 


90 


prototype aircraft has been completed, and theT-38 corrosion control and structural 
modification team at El Paso, Texas, has completed the first pilot production aircraft. 

3. Replacing the T-38 ejection seats with state-of-the-art seats that will meet the full 
range of astronaut anthropometries and are highly reliable, zero-altitude/zero-air- 
speed capable. 

4. A just completed flight test of an engine ejector modification designed to improve 
the in-flight range of theT-38.This modification should enhance both efficiency and 
flight safety. 

NASA will continue to evaluate new programs and seek new initiatives to meet the 
requirements as they evolve, such as adding avionics for compatibility with the future free 
flight concept in the air traffic control system. 

STA: NASA has four STA’s and one spare Gulfstream II (GII) that will be modified into an 
STA when it is either required by the Shuttle flight rate or in the event that one of the 
four STA’s becomes unusable. 

In regards to STA maintenance, the initial aircraft maintenance and inspection program 
developed by the aircraft manufacturer, Grumman, in concert with NASA engineers 
included a short interval comprehensive nondestructive inspection program.That mainte- 
nance program was designed to ensure close monitoring of the structural health and 
material condition of the STA, which was and is operated in a much more demanding flight 
regime than the corporate GII aircraft. Furthermore, a 1993 and 1994 NASA contracted 
effort with Science Applications International Corporation resulted in the determination 
that the STA fleet can operate safely within the established flight training profiles and that 
structural integrity can be monitored through the ongoing inspection program. 

Modernization of the aircraft includes recent avionics systems upgrades with an incor- 
porated differential GPS approach guidance system and the modification of the Shuttle 
simulation system to include the orbiter MEDS to provide astronaut pilot orbiter landing 
training for MEDS-equipped orbiters. 

Based on the basic STA GII remaining service life and the NASA maintenance program, 
there should be ample service life remaining on the four aircraft to provide astronaut train- 
ing well into the second decade of the 21st century. However, repair and component costs 
due to systems obsolescence or frequency of structural repairs could conceivably indicate 
a need for either systems redesigns or an earlier selection of a replacement aircraft type. 


91 


annual repo rtf or 1 999 



aerospacesaifety advisory panel 


Finding#8 


The use of simulated Space Shuttle launch and flight operations for training and 
rehearsal has proven to be an effective technique for enhancing safety and efficiency 
and is especially valuable in the case of special or rarely performed procedures or 
after a long hiatus of effort. 

Recommendation#8 

Simulation-based training should be included in difficult or infrequent Space Shuttle 
operations whenever feasible. This type of training is especially needed after there 
has been a significant hiatus in performing an operation. 


Response 

NASA concurs with the recommendation. NASA and USA have beneficially increased 
simulation-based training at KSC.The pursuit of a separate simulation training room 
and simulation team will allow NASA and USA to further increase the number of sim- 
ulations that can be performed each flow. Additionally, KSC will use the new 
collaborative engineering environment to enhance simulation capabilities. 


92 



Finding#9 


Some hardware is being used in MEIT before it has completed qualification testing. 
Software is also often used before its verification and validation is complete. In both 
cases, modification to the hardware or software may be required before certification 
is completed, thereby potentially invalidating the results of the initial MEIT testing. 

Recommendation#9 

When it makes sense to deliver hardware or software to system-level testing such as 
MEIT before qualification/certification is complete, the effect of any qualification- 
induced changes must be carefully evaluated for implications for regression testing. 
Final testing should always be run with validated software and qualified hardware. 

Response 

NASA concurs with the recommendation and notes that the ISS Program requires 
regression evaluation for all modifications performed on flight hardware to assess 
whether certification, acceptance, or integration testing results are invalidated and 
must be performed again. The final flight configuration will be verified by regression 
testing as well as acceptance, mission sequence, end-to-end, and integration tests. 

The Space Station and Shuttle Payloads Office at KSC (Code NN) utilizes Flight, Flight 
Equivalent and GSE hardware and software for MEIT that has been certified through 
ISS Program Office control boards and panels for these tests. The boards and panels 
also specify regression tests with flight units when required through the directives 
they provide. The NN MEIT test schedules currently have regression tests planned for 
modified or repaired hardware units and revised software per ISS Program Office 
control board and panel directives and requirements. 


93 


annualreportforl 999 


aerospaces afety advisory pan el 


Finding#10 


MEIT is the highest level of integrated testing available before committing ISS ele- 
ments to launch. In order to produce valid results, this testing requires a high level of 
fidelity in emulators/simulators used in place of missing components. 

Recommendation# 1 0 

The ISS Program should ensure that high-fidelity simulations of on-orbit components 
are used in the MEIT and that the configurations of those simulators are validated to 
be in agreement with what has actually been orbited. 

Response 

NASA concurs with the recommendation. The node emulator for MEIT I was built as 
certified GSE as was the Lab Emulator for MEIT II and III. Emulator design require- 
ments include the emulated flight article’s ICDs to the elements under test in MEIT. 
Activation/Validation and integrated testing confirms emulators meet the emulated 
flight article’s interface requirements and compares emulator performance with the 
flight article’s performance in similar testing. The primary objective of these tests is 
to certify the emulators act like the flight article for the interfaces under test. The 
emulators are under configuration management (CM) control and any updates to the 
flight elements will be checked for potential impacts to the emulators. 


94 


Finding#1 1 


Astronaut crew participation in testing improves fidelity of the test and better famil- 
iarizes the crew with systems and procedures. 

Recommendation#1 1 

NASA should continue to involve the crew in integration testing and do so more 
heavily and at an earlier stage. 

Response 

NASA concurs with the recommendation. The Flight Crew Operations Directorate 
(FCOD) at JSC is making every effort to ensure that astronauts are actively involved in 
hardware and software testing of Space Station components at all phases of their devel- 
opment. FCOD heartily concurs that this involvement needs to continue at an early stage 
and with a high level of participation.This involvement is accomplished through the tech- 
nical assignments that are filled by astronauts who are not assigned to a specific mission 
and by the assigned flight crews responsible for the assembly of the hardware on orbit. 
Traditionally, flight crews are assigned about 1 year ahead of time for a shuttle mission. 

In the case of Space Station assembly missions, an attempt has been made to assign 
crews at least a year and a half ahead of time so that they are actively involved in the 
development of the on orbit procedures and the test and checkout of the hardware. 
Early involvement ensures that crews are able to make engineering inputs based on 
operational experience to correct problems before they result in time consuming 
and difficult on orbit workarounds. 

All test activities are tracked by the Vehicle Integration Test Team (VTTT) within 
FCOD. To accomplish this, personnel are assigned the responsibility to monitor the 
hardware at the various sites where it is being built, including overseas sites, as well 
as at the Kennedy Space Center.These personnel provide the astronauts with the cur- 
rent status of the hardware, coordinate crew visits to the sites and ensure that 
astronauts are participants in all critical tests. 

Additionally, the increment crews that will actually be living on the station after it is 
constructed have been made active participants in the test and checkout of the hard- 
ware while it is still on the ground. 

FCOD will continue to ensure that this crew involvement continues and is not just lim- 
ited to Space Station assembly missions but also encompasses Orbiter upgrades, the Crew 
Return Vehicle, payloads, and any future program that requires astronaut participation. 


95 


annual re portforl 999 


aerospace safety advisory pan el 


Finding#! 2 


The current ISS requirement is for a single Crew Return Vehicle (CRV). Crew safety 
over the life of the ISS requires the availability on orbit of two CRV's, both of which 
is capable of accommodating the entire crew. The Soyuz capsule, designated as the 
interim CRV, does not have a full crew capability Also, it is uncertain that sufficient 
Soyuz capsules and their launches will be available to supply the needs of the ISS. 

Recommendation#! 2 

NASA should accelerate its program to develop and deploy two full-crew CRV's and 
take whatever measures are necessary now to ensure the availability of sufficient 
Soyuz capsules and launchers until the CRV's are ready. 

Response 

The item remains open and under assessment.The ISS Program has assessed the need 
and feasibility for a second CRV on-orbit aboard the Space Station. A Tiger Team, led 
by the Astronaut Office, was chartered to assess the overall effectiveness. The Tiger 
Team presented its findings to the Lead Center Director and the Associate 
Administrator for Space Flight, who requested that additional analysis be performed 
in alternative configurations. 

NASA is engaged in on-going discussions with the Russian Space Agency 7 regarding 
the acquisition of additional Soyuz vehicles. Due to the current Russian economic 
problems, NASA closely monitors the status of the Soyuz production required to sup- 
port the ISS at the manufacturer, Energia. NASA is engaged in on-going discussions of 
the procurement of additional goods and services from RSA.The procurement will 
provide the cash flow necessary to sustain the production levels of Soyuz vehicles 
that the ISS requires until the CRV is available.These discussions will continue in the 
overall context of determining Russia’s ability to satisfy its commitment as an inter- 
national partner. 


96 



Rnding#13 


Plans calling for availability on orbit in early 2003 of a U.S. CRV based on the X-38 
technology demonstrator are highly ambitious. Although much of the X-38 technol- 
ogy is off the shelf, there are numerous features that rely on yet-unproven 
approaches. 

Recommendation#! 3 

NASA must not allow the limited CRV development time to comprise the conduct of 
a thorough risk assessment and testing program. 

Response 

Concur. The new CRV acquisition strategy requires the developing contractor to take 
responsibility /accountability for the CRVs flight readiness. The CRV RFP Synopsis 
asked candidate contractors about CRV risks. None identified 2003 launch readiness 
as a significant risk. For government developed technologies (i.e. parafoil and OML 
aero) the test programs are ongoing and will be demonstrated with flight tests. 

Although much of the X-38 design is based upon off-the-shelf technology, it is rec- 
ognized that features such as the parafoil landing system are unproven. Where this is 
the case, extra testing is being performed to certify and human rate these systems. 
The extensive parafoil test program at the Yuma Proving Ground is an example of the 
rigorous testing of an unproven design. The last several successful parachute tests are 
beginning to show the fruits of this approach. Once parafoil testing has reached a 
point which has a proven safety and maturity of its design, the parafoil design will 
not be allowed to be changed by the contractor in their CRV design. 

Safety and Mission Assurance play an important role in the X-38 Phase 1 activity. Each 
contractor will be required to develop at least an S&MA Plan, Risk Management Plan, 
Vehicle Certification Plan, Vehicle fault tolerance studies & recommendations, Failure 
Mode, Effect, and Criticality Analysis, and Human Rating Assessment for their CRV 
design. Quality 7 of these S&MA tasks will play a major role in the selection by NASA 
personnel of one contractor to perform the Phase 2 task of building the CRV 


97 


annualreportforl 999 


aerospacesafety advisory pan el 


Finding#14 


In the ASAP Annual Report for 1997, the Panel expressed concern for the high doses 
of radiation recorded by the U.S. astronauts during extended Phase I missions in Mir. 
Subsequent and continuing review of this potential problem revalidates that unre- 
solved concern. The current NASA limit for radiation exposure is 40 REM per year to 
the blood-forming organs, twice the limit for the U.S. airline pilots and four times the 
limit for Navy nuclear operators (see also Finding #23). 

Recommendation# 1 4 

NASA should reduce the annual limit for radiation exposure to the blood-forming 
organs by at least one half to not more than 20 REM. 

Response 

NASA concurs with the recommendation. However, in keeping with the "as low as 
reasonably achievable" (ALARA) radiation protection principle, NASA is proposing a 
set of administrative spaceflight exposure limits which are significantly below the 
NCRP recommended annual limits. The administrative limits are designed to 
improve the management of astronaut radiation exposures and ensure that any 
exposures are minimized. The proposed administrative BFO exposure limits range 
from 5 cSv (REM) for a one month exposure period to 1 6 cSv (REM) for a twelve 
month exposure period. These limits have been proposed for inclusion in section 
B14 of the Flight Rules and are currently awaiting concurrence from Energia and the 
Russian Space Agency. 

The National Council on Radiation Protection and Measurements (NCRP) developed 
these limits in 1989 for NASA.The NCRP is a congressionally chartered organization 
responsible for developing radiation protection limits. The NASA Administrator, 
OSHA, and the Department of Labor approved these limits. 

NASA has adapted 30 day and annual dose limits of 0.25 Sv and 0.5 Sv, respectively. 
The purpose of these limits is to prevent acute health effects, such as nausea, vomit- 
ing, etc. NASA also maintains career limits intended to limit the probability of cancer 
below 3% excess cancer mortaility. These career limits are comparable to the US 
career limits for other radiation workers. Furthermore, the annual limits also serve to 
spread out career radiation exposure over time. 

The NCRP completed a re-evaluation of astronaut exposure limits in 1998 using the 
most recent results from longitudinal studies of Japanese atomic bomb survivors. 
Currently, the NCRP has a draft report undergoing full NCRP review and approval, 


98 



which is expected to be released in the fall of 1999- When this report is released, 
NASA will consider its recommendations and, if appropriate, will proceed to imple- 
ment any recommended reductions. 


99 


annualreportforl 999 


aero space safety advisory pan el 


Finding# 15 


By virtue of the several ongoing programs for the human exploration of space, NASA 
is pioneering the study of radiation exposure in space and its effects on the human 
body. Research that could develop and expand credible knowledge in this field of 
unknowns is not keeping pace with operational progress. 

Recommendation# 1 5 

Provide the resources to support more completely research in radiation health 
physics. 

Response 

NASA concurs with the recommendation. The funding for radiation research has 
been augmented over the past couple of years. Expanding support for radiation 
health physics research will benefit the mitigation of effects of space radiation and 
the accurate determination of organ doses. NASA’s Space Radiation Health Program 
supports basic research in radiobiology and biological countermeasures. 1 lie 
Radiation Health Program has initiated efforts to provide reference dosimetry capa- 
bilities for flight dosimetry at Loma Linda University and Brookhaven National 
Laboratory. A phantom torso is being used to assess organ doses on Shuttle and ISS. 
JSC has initiated efforts to improve measurements of the neutron contribution to 
doses in LEO. These efforts include increasing opportunities to use neutron detector 
systems and the development of a high-energy neutron detector by the National 
Space Biomedical Research Institute (NSBRI)- Improved understanding of radiation 
transport properties of the GCR and neutrons can be used to develop shielding aug- 
mentation approaches for crew sleep quarters and exercise rooms on ISS. 


100 


Finding#! 6 


Many deployable structures on the ISS and satellites on which astronauts must work 
during EVA’s use pyrotechnic initiators. The re is often no simple way for an EVA astro- 
naut to know by visual inspection whether or not an initiator has fired when a 
structure has failed to deploy properly. 

Recommendation# 1 6 

NASA should develop and require the use of pyrotechnic initiators that leave clear 
visual evidence that they have fired. These "fire-evident" initiators should be required 
for all applications that may be encountered by an EVA astronaut. 

Response 

The NASA Standard Initiator (NSI) is required for use in all electrically initiated 
pyrotechnic systems whether the application may be encountered by an EVA astro- 
naut or not. The NSI does not provide any means for external visual inspection of 
fired condition when it is installed in a mechanism. Currently, the only test being per- 
formed to verify 7 that the initiator fired, without disassembly of the pyrotechnic 
mechanism, is to measure firing circuit resistance before and after firing. This func- 
tion can be built into the firing unit. It is not foolproof however, since it cannot 
detect a smart short. To date this has not been a problem with the NSI since in nearly 
100,000 units produced and certified there are no documented failures. That is why 
the NSI carries a reliability of 0.999 at a 90% confidence level. All failures to fire have 
been traced directly to the electrical wiring, connectors, firing unit or flight com- 
puter. Breaks in the electrical firing circuit can be identified by a pre-fire circuit 
resistance check. 

The desire of visual identification is further compounded by the physical location of 
the initiator. In many applications it is located internal to a mechanism and is not 
directly accessible or visible. For those applications where it is external to the mech- 
anism it is still not visible since half the device is torqued into the mechanism and 
the other half is covered by the electrical connector. Stretching the device to make 
a portion of it visible would require a re-design and re-qualification of the initiator at 
an extremely high cost as well as making it larger and heavier in a size and weight 
conscious world. 

Two types of visual indicators have been considered for incorporation into the ini- 
tiator. The first is a temperature sensitive tape that could be placed on the outside of 
the initiator body that would change colors due to temperature rise generated from 
firing the initiator. This is not considered practical. The temperature rise of the NSI 


101 


annualreportforl 999 


aero space safety advisory panel 


i 

| 


body is small and further effected by heat sinking of the mechanism it is inserted 
into.The actual temperature rise that would result is lower than the temperature rise 
generated by direct solar radiation. It would be unknown whether the color change 
was due to the initiator firing or the sun. The tape would also not be visible due to 
coverage by the electrical connector without redesign of the initiator body. 

The second possibility of a visual indicator is a pop-up pin that would be pressure 
driven by the NSI firing. Incorporating the pin into the NSI would be both complex 
and expensive. The NSI is a hermetically sealed device, there is no way to incorpo- 
rate a pop-out pin without violating the hermetic seal. The size of the NSI would have 
to be greatly expanded to accommodate the pin/piston which would have to with- 
stand pressures from 600 psia to as high as 25,000 psia.The pin/piston orientation 
would also affect the pressure output and function time of the initiator. 

One final consideration that is very significant is that there are over 1000 pyrotech- 
nic devices and mechanisms that have been flight qualified and certified to function 
with the NSI. Those devices are in repeated use on numerous crewed and uncrewed 
programs. The intrusion of a new initiator would not only be a reduction in reliabil- 
ity but would require re-qualification of associated components at a tremendous 
cost. Currently there are no plans to pursue recommendation #16. 


102 


Finding#! 7 


In the event that a primary crewmember is unable to fly on an assigned ISS mission, 
current plans call for substituting a crewmember from a backup crew. Backup 
crewmembers do not, however, train extensively with the primary crew. 

Recommendation#! 7 

If backup crewmembers are to be substituted individually to the primary crew, then 
those crews should conduct some meaningful degree of joint training. 

Response 

NASA concurs with the recommendation. Clearly, crews that are going to be flying 
together need to spend time together on the ground. Our current training process 
includes numerous training sessions where the backup crew is in attendance with 
the prime crew. And while there are not specific simulator sessions with joint or 
mixed crews, more importantly, the Expedition 1 and 3 crews do spend quite a bit 
of time together (as do the Expedition 2 crew and their backups, Expedition 4). 

The current policy of the organization is that backup crews can be substituted for 
the prime crew right up until launch. However, the decision will be made on a case- 
by-case basis whether one person or the entire crew is changed out. Our current 
plan does make provision for the former to occur. 


103 


annualreportforl 999 


aerospace safety advisory pan el 


Finding#l8 

The EVA project lacks sufficient operational assets to meet unplanned contingencies. 
There are no spare Extravehicular Mobility Units (EMU’s). Only five U.S. Simplified 
Aid for EVA Rescue (SAFER) flight units will be available to meet a requirement to 
maintain three units on orbit. In addition, only four Russian SAFER units are planned. 

Recommendation#1 8 

To meet contingencies that are almost certain to arise, additional EMU’s and SAFER 
units or their critical long lead components should be procured as soon as possible. 

Response 

NASA concurs with the ASAP recommendation. With respect to the EMU, the inven- 
tory of life support system (LSS) hardware will be 14 (13 Class I and 1 Class II) by 
October 1999- Exceedences to our supply begin in 2000. In order to achieve a 90 per- 
cent probability of sufficiency, NASA must increase its inventory by two LSS’s. NASA 
plans on addressing this issue within the Program Operating Plan (POP) 99. We plan 
to upgrade the current Class II LSS to Class I and upgrade the certification unit to 
Class II. This will increase our inventory to 15. NASA also plans to go forward with 
the recommendation to procure an additional LSS to achieve 16 LSS’s. 

Additionally, the current space suit assembly (SSA) flight hardware models predict 
SSA demand beyond the current inventory of 15. The demand peaks at 23 for one 
month, but there are 15 months where it is at 18 through 2004. The current plan is 
to procure hardware to 18 through the POP 99. SSA hardware shortages can be deter- 
mined once crewmembers are selected. The lead times for SSA hardware are such 
that once shortages are determined, specific hardware shortages can be procured. 

The current training model for the EMU predicts demand not to exceed the procured 
inventory of 10; therefore, sufficient inventory exists for training. 

With respect to the USA SAFER, NASA concurs with the ASAP recommendation on 
obtaining critical long lead components. In fact, the majority of the long lead com- 
ponents have already been procured. These components are expected to support the 
USA SAFER flight units for their 7-year life. 

NASA can normally support the requirement to maintain three USA SAFER flight 
units on orbit with five flight units in service. The current rotation plan utilizes two 
of the flight units to accommodate rotation of back-to-back missions where the turn- 
around time is approximately 1 month. With one flight unit out of service, four USA 
SAFER flight units can be rotated to maintain three units on orbit for 92 percent of 


104 



the flights per the International Space Station (ISS) assembly sequence dated 
February 22, 1999-The remaining 8 percent of the flights can also be supported with 
contingent coordination ahead of time to reduce the turnaround time from approx- 
imately 1.5 months to approximately 1 month. 

Another option was already planned to deal with the margin in the rotation of five 
USA SAFER flight units. In order to increase the USA SAFER logistics margin, an exten- 
sion of the 1-year certification will be assessed based on flight performance. Being 
able to leave the units on orbit longer will allow the rotation rate to decrease suffi- 
ciently to eliminate any problems with having one unit out of service. Data will be 
collected for analysis immediately after the flight units are declared fully operational. 

At the present, additional USA SAFER flight units are not needed for the following 
reasons: 

1) The rotation of five flight units can fully support the flight requirement; 2) the 
rotation of four flight units can support the flight requirement for at least 92 percent 
of the current ISS assembly flights; 3) the turnaround time can be reduced for spe- 
cial cases; and 4) the on-orbit certification is expected to be extended with additional 
flight data. However, in the event a USA SAFER flight unit is not available for any 
reason, the EVA crew is trained to use the two-fault tolerant tethering scheme to meet 
the safety requirement. This tethering scheme is fully certified and has been used suc- 
cessfully during several EVA’s, including those on the recent STS-88 mission. 

Lastly, with respect to the Russian SAFER, NASA has revised its plan and will now pro- 
duce five flight units, rather than four, in order to support the logistics model 
consistent with the USA SAFER plan. 


105 


annualreportforl 999 



aerospacesafetyadvisorypane! 


Finding #19 


The three available sizes of EMU planar Hard Upper Torso (HUT) units will accom- 
modate crewmembers from the 40th percentile female to the 95th percentile male. 
Assumptions were made regarding the ability of crewmembers to upsize or down- 
size to fit the three available HUT sizes and operate safely and effectively in them. 

Recommendation#1 9 

To validate the ability of crewmembers to actually use the various available HUT 
sizes, crewmembers in each of the several size combinations/configurations should 
be required to perform normal and emergency functions in training mockups to 
demonstrate that full capability is available to each. 

Response 

NASA agrees with the ASAP recommendation, as it is part of our standard process. 
Crewmembers are sized in 1-G and suit fit is verified during Neutral Buoyancy 
Laboratory (NBL) and vacuum chamber testing. Nominal suit fit capability is verified 
in the NBL, while emergency procedures are demonstrated under vacuum conditions 
using flight hardware. 


106 


Finding#20 


The EVA Research and Technology (R&T) program has been highly successful, and its 
products have led to the development of significant safety and operational improve- 
ments to EVA hardware and procedures. Current funding for advanced R&T for EVA 
is extremely limited. 

Recommendation#20 

Restore the EVA R&T program to a level that will permit further development of not 
only near-term safety and operability improvements but also long-term products. 

Response 

NASA recognizes the importance of the EVA R&T program. The EVA Project Office 
maintains the EVA technology roadmap, and, when appropriate, makes recommen- 
dations to the existing Programs when it is prudent to pursue R&T development 
(e.g., reduced prebreathe protocol). Also, NASA continues to provide R&T funding 
support, prioritized against requirements from NASA Headquarters on an annual 
basis. 


107 


annualreportforl 999 


aerospacesafety advisory panel 


Finding#21 


The safety implications of EVA training for U.S. and international partner astronauts in 
the Russian Hydrolab are not well understood. In particular, the implications of higher 
suit pressures and Russian bends protocols have not been thoroughly analyzed. 

Recommendation#21 

NASA should study the procedures used in the Russian Hydrolab to determine their 
safety' and monitor all Hydrolab testing when U.S. astronauts are involved. 

Response 

NASA concurs with the ASAP recommendation. The Gagarin Cosmonaut Training 
Center (GCTC) Hydrolab facility is an established cosmonaut training facility. The 
GCTC Hydrolab is a neutral buoyancy training facility.The facility' is an above-ground, 
circular tank with a maximum depth of 12 meters; however, a false floor limits the 
maximum useable depth to 10 meters. The false floor can be raised above the water 
level for positioning mockups, walk-through training, or hardware repair and modifi- 
cation. The standards applied to the Hydrolab's design and operations are not NASA 
standards but instead the Russian equivalent. 

NASA safety’ and medical representatives have performed a safety assessment of the 
GCTC Hydrolab facility’ utilizing the NASA Safety Standard for Underwater Facility’ 
and Non Open Water Operations, NSS/WS 1740.10, and other JSC requirements as a 
guide for directing the safety evaluation of the Hydrolab.The assessment focused on 
the suit hardware and its interfaces, including the effects of suit pressure/physiolog- 
ical depth, facility’ systems that support training, and pool deck systems. 

The Hydrolab is an acceptable facility’ for conducting operations with NASA person- 
nel and equipment with one caveat, NASA medical personnel have requested that the 
Russians demonstrate proficiency in the use of the hyperbaric chamber at the GCTC. 
This demonstration was planned to occur prior to April 30, 1999. Beyond the hyper- 
baric chamber proficiency demonstration, the condition of this training facility does 
not pose a direct or unreasonable risk to U.S. personnel or vital NASA equipment. 
NASA and GCTC have agreed to several procedural and hardware related enhance- 
ments that will be made to the Hydrolab facility to increase the overall safety’. JSC 
safety and medical representatives will be available in the Hydrolab as part of the test 
team during all suited operations in the Hydrolab and will continue to monitor safety 
and take further action as required. 


108 


For additional information, the complete agreement is documented in EVA Project 
Office memo XA-99-031, dated February 18, 1999, subject: Gagarin Cosmonaut 
Training Center (GCTC) Hydrolab Safety For U.S. Personnel. 


109 


annualreportforl 999 


aerospace safety advisory panel 


Finding#22 


There is an initiative to modify' the prebreathe protocol for EVA operations on the 
ISS. The target is a 2-hour prebreathe from any pressure with the same or better 
bends risk than the protocol currently used in Space Shuttle operations. 

Recommendation#22 

Prior to authorizing any reduction in prebreathe protocol for EVA on the ISS, NASA 
should conduct a study to ensure that there is no increase in the risk of bends asso- 
ciated with the special circumstances of the proposed new protocol. 

Response 

NASA concurs with the ASAP recommendation, and believes that the recommended 
study 7 efforts have already been initiated. In 1997, the EVA IPT initiated a Prebreathe 
Reduction Program (PRP) to address the risk of decompression sickness (DCS) asso- 
ciated with reduced prebreathe protocols.The PRP Team developed a detailed 2-ycar 
plan to: 1) Develop and test an operationally implementable 2-hour prebreathe pro- 
tocol; 2) perform a detailed risk assessment of acceptable DCS risk to provide 
prospective accept/reject criteria so that there was a clear metric by which to judge 
the success or failure of the laboratory' trials; 3) develop improved methods for treat- 
ing DCS on orbit; and 4) develop flight rules to document in advance the specific 
actions that would be taken to manage a DCS contingency should one occur. 

Items 2, 3, and 4 from above form the NASA "DCS Risk Definition and Contingency' Plan. 
Effort required by that plan has been completed and favorably reviewed by an external 
review committee chaired by Dr. C. J. Lambertsen.Accept/reject criteria developed from 
the above plan was used in an extensive, multi-phase laboratory-testing program of an 
operationally implementable 2-hour prebreathe protocol. This effort was initiated in 
November 1997 as a multi-center effort led and managed by NASA and involving three 
external laboratories (Duke University, the Canadian Defense and Civil Institute of 
Environmental Medicine, and the University ofTexas Hermann Hospital). A review of the 
multi-phased laboratory-testing program results and the entire PRP project conducted 
by medical experts of the International Partners (the Multi-Lateral Medical Operations 
Panel subcommittee for EVA) resulted in a committee recommendation that the 2-hour 
protocol should be safe to implement for EVA’s from the ISS. Furthermore, additional 
internal and external reviews of the laboratory data are planned for June 1999- Pending 
the recommendations of that review, NASA believes there to be no increase in the risk 
of bends associated with the special circumstances of the proposed new' protocol, and 
die 2-hour protocol will be implemented for operations on ISS Flight 7A, which includes 
the first U.S. space walks from the ISS joint airlock. 


110 


The PRP Team has also developed a 5-year operational research plan with the goals 
of providing a better understanding of the underlying science of DCS in micrograv- 
ity and the possibility of further reductions in prebreathe without compromise to 
safety. This 5-year research program will include four external laboratories, including 
the Brooks Air Force Base Armstrong Laboratory and the onsite NASA JSC facilities. 

Finally, NASA is committed to continued investigative/research efforts to address any 
relevant data obtained from past, current, or future testing in order to assure no 
increase in the risk of bends associated with the special circumstances of current or 
proposed new protocol. 



aerospacesafetyadvisiory panel 


Finding#23 


The greatest potential for overexposure of the crew to ionizing radiation exists 
during EVA operations. Furthermore, the magnitude of any overexposure cannot be 
predicted using current models. 

Recommendation#23 

NASA should determine the most effective method of increasing EMU shielding with- 
out adversely affecting operability and then implement that shielding for the EMU’s. 

Response 

NASA concurs with the ASAP recommendation. Efforts are in work to both minimize 
radiation exposure and to obtain data relative to increased EMU shielding. Efforts to 
minimize EVA doses include coordination to minimize the South Atlantic anomaly 
passes between the Space Radiation Analysis Group, Medical Operations, EVA Office, 
and Flight Director. Monitoring of EVA doses on ISS will include the use of crew 
dosimeters and the external vehicle charge particle detector systems (EVCPDS). 
Developing active dosimeters to be worn inside the EMU that would augment the 
EVCPDS as a warning system and improve the monitoring of crew doses is being con- 
sidered. A proposal to deploy an external tissue equivalent proportional counter prior 
to EVCPDS deployment on ISS Increment 8A that would provide improved EVA dose 
enhancement warning capability is being developed. JSC in collaboration with the 
Lawrence Berkeley National Laboratory is assessing ways to measure the shielding 
capacity of the EMU and the Russian Orlan suit using proton and electron exposure 
facilities at Loma Linda University. These measurements would support a study of the 
effectiveness of increasing EMU shielding. In addition, the development of an electron 
belt enhancement model and improved solar particle event forecasting and Earth geo- 
magnetic field models that would provide large improvements in predictive 
capabilities for the occurrence of enhanced EVA doses is being considered. 


112 


Finding#24 


EVA ground rule 4.3.2.12, "No Simultaneous EMU/Orlan ISS Extravehicular Activity," 
is constraining and reduces flexibility. 

Recommendation#24 

NASA should reexamine this ground rule and consider a criterion for selecting either 
an EMU or the Orlan suit for a particular EVA based on the specific requirements of 
the EVA or the specific crewmembers performing the EVA. 

Response 


NASA concurs with the intent of ASAP recommendation. Current mission planning 
requires one-fault tolerance for both EVA hardware and personnel. Additionally, all 
EVA crewmembers (a minimum of three will be onboard the vehicle) will be trained 
to operate in both the U.S. EMU and Russian Orlan. Therefore, for example, a 
crewmember planning to perform an EVA in the EMU would have the following fault 
tolerance capability: 1) primary EMU; 2) backup EMU; then 3) Orlan. Fault tolerance 
alone precludes the need to plan for a simultaneous EMU/Orlan EVA; however, the 
primary rationale for not planning for this is the safety risks associated with two dif- 
ferent suit procedures/parameters during a single EVA. 

Primary spacesuit monitoring responsibility will reside with the country responsible 
for the development of the hardware (i.e., Russians will have primary responsibility 
for the Orlan and Americans for the EMU).Therefore, if both the Orlan and EMU were 
in use during a single EVA, a shared responsibility for monitoring spacesuit perfor- 
mance exists. If an emergency occurs, there are increased safety risks that result from 
the shared responsibilities. Based on the increased safety risks and given the fault tol- 
erance capability defined above, NASA does not believe it is prudent to plan for the 
option to use both the EMU and Orlan simultaneously. 


113 


annualreportforl 999 


a e 'os pace safety advisory pan el 


Finding#25 


The NASA Standard Initiator (NSI) on a SAFER unit tested on STS-86 on October 1 , 
1997, did not activate because of a marginal design of the activating power supply. 
As a result, the unit could not function. The certification testing for the firing circuit 
did not identify the power supply inadequacy. Also, an inadequate NSI emulator was 
used for most of the original SAFER certification (qualification) and acceptance tests 
(see also Finding #14). 

Recommendation#25a 

The design and implementation of flight systems critical to safety and mission suc- 
cess should, at least, provide redundancy for system startup. 

Response 

NASA concurs with the ASAP finding that the NSI drive circuit of the USA SAFER was 
marginal in its design to the point where the drive circuit failed to activate the NSI 
during a demonstration on STS-86. The failure was due to lack of margin within the 
subsystem to drive the NSI and not due to lack of redundancy (a backup subsystem) 
to the subsystem. Adding redundancy (a backup subsystem) to drive the NSI would 
not resolve the lack of margin as both the primary and backup subsystems would still 
fail to drive the NSI without sufficient margin. This condition was addressed by addi- 
tion of a new NSI circuit with increased margin to fire the NSI on demand. In 
addition the new NSI contains redundant components where possible. 

The USA SAFER is categorized as emergency hardware and is designed for use only 
after the EVA crewmember had inadvertently" separated from structure due to a 
tether failure or a tether disconnection. The combination of the tether and I SA 
SAFER provide a functional redundancy to each other and a fail-operational system, 
which can sustain one failure in the tether (functional after one failure) and still 
retains the capability to continue with the EVA. A subsequent failure of the tether 
(two failures) and a functional USA SAFER provide a fail-safe system, which still 
retains the capability to successfully terminate the mission by using the USA SAFER 
to bring the inadvertently-separated EVA crewmember back to safety. Once the USA 
SAFER is needed to perform self-rescue in its role as the fail-safe device, its failure to 
perform due to any reason would result in loss of the EVA crewmember. Because the 
USA SAFER is to provide the fail-safe capability, as the functional redundancy" to the 
tether, it was designed as a single -string system. As such, redundancy" was not required 
for all subsy stems and components. Adding redundancy^ to the activation subsystem 
alone would not increase the probability of saving an inadvertently separated 
crewmember since other critical subsystems (propulsion and mechanism) are still 


114 


single-string. NASA will evaluate redesigning the next generation SAFER to be fully 
redundant in critical functions. 

Recommendation#25b 

All NASA Centers should review the design requirements for reliable activation of the 
NSI and assure they are adequate to be communicated to their suppliers, especially 
those who are responsible for the design of firing circuits. All designs currently using 
NSI’s should be reviewed to assure that the firing circuits are adequate and have been 
appropriately tested. 

Response 

NASA agrees with the ASAP recommendation. The new USA SAFER NSI circuit 
employs the capacitive discharge approach which has been well proven by the SSP 
Peer reviews were held to evaluate the new circuit design, and a series of tests were 
performed with the complete flight circuit. Also, the Engineering Directorate’s 
Pyrotechnic Subsystem Manager performed a comprehensive review of all known 
uses of the NSI to ensure an acceptable design existed and that appropriate certifi- 
cation/ acceptance tests had been accomplished. Lastly, a User’s Guide (JSC-28596) 
for the NSI was developed to assist developers in selecting the appropriate NSI, 
designing the appropriate NSI drive circuit, and testing the complete NSI subsystem. 

Recommendation #25c 

Qualification tests of safety-critical equipment must use flight-quality hardware. Any 
exceptions must require high-level program approval. 

Response 

NASA concurs with ASAP recommendation to use flight-quality hardware to support 
qualification testing. The new USA SAFER circuit certification was completed with 
the successful firing of 1 5 flight NSI’s consecutively. 


115 


annual re port fori 999 



aero space safety advisory pane I 


Finding#26 


Achieving the objectives of the first of NASA’s Three Pillars, Global Civil Aviation, 
requires greater involvement and support by the Federal Aviation Administration (FAA). 

Recommendation#26 

NASA should pursue further commitment from the FAA to participate in the first of 
NASA’s Three Pillars, Global Civil Aviation. 

Response 

In 1998 and 1999 our commitment to the President’s aviation safety challenge was 
met through early safety products from each of our Base Research and Technology 
programs. In 2000, the Aviation Safety focused program begins, in addition to some 
investment in the Base. The planning for our investment was done in complete har- 
mony with the FAA’s activities — both their research investment, as well as their 
operational efforts. Implementing the results of our collaborative research and tech- 
nology efforts are fundamental to achieving our safety goal. The recent commitment 
between the FAA Administrator, Ms. Garvey, and Mr. Goldin committed our two agen- 
cies to our two agencies’ goals. Further, our Aviation Safety Program is part of the 
Safety Joint Working Group, and reports to the FAA-NASA Executive Committee that 
oversees all cooperative activities between the two agencies.The Program also works 
as partners with FAA to implement the program and will maintain close coordination 
with the Department of Defense and other government agencies. And, significantly, 
the Safety Program Manager is member of Commercial Aviation Safety Team and 
General Aviation Joint Steering Committee— government-industry leadership groups 
developing and managing overall National safety strategies. NASA aviation safety 
research and technology efforts therefore complements both FAA and industry activ- 
ities as a coordinated overall effort. 


116 


'HI m I II IIM III II I I I I l ll will UN I Him inimniiil u* m>i mum tonllliliii* iiimin 



Finding#27 


The X-34 technology demonstrator program faces safety risks related to the vehicle’s 
separation from the L-1011 carrier aircraft and to the validation of flight software. 
Moreover, safety functions seem to be distributed among the numerous contractors, 
subcontractors, and NASA without a clear definition of roles and responsibilities. 

Recommendation#27 

NASA should review and assure that adequate attention is focused on the potentially 
dangerous flight separation maneuver, the thorough and proper validation of flight soft- 
ware, and the pinpointing and integration of safety 7 responsibilities in the X-34 program. 

Response 

Wind tunnel separation tests simulating the separation of the X-34 from the L-1011 
have been successfully completed, using scale wind tunnel models of the X-34 and 
L-1011. The X-34 release mechanism is based on the flight-proven Pegasus release 
mechanism designed by Orbital Sciences Corporation. The A- 1 vehicle will be flown 
in captive carry mode under the L-101 1; additionally, the A-2 vehicle will be flown in 
dress rehearsal attached to the L-101 1. The aerodynamic forces and flying qualities of 
the combined vehicles will be assessed during these flights. 

The flight software will be carried through a thorough Verification and Validation 
testing process by Orbital Sciences Corporation. Performance tests of the X-34 navi- 
gation system (hardware and flight software) have already been conducted at the 
White Sands Missile Range using an aircraft platform. Subjecting the flight software 
to TV and V remains an option to the program if concerns about the software dictate. 

In May 1998, Code Q conducted a detailed review of safety^ and mission assurance 
processes being used by the X-34 program, and found the existing processes in place 
at Orbital Sciences Corporation and its subs to be satisfactory. Recommendations 
from the review have been addressed, and are available for review. A follow-up review 
with Code Q and the X-34 Project Office was held on December 10, 1998. 


117 


annua! re port fori 999 


aerospacesafetyadvisorypanel 


Finding#28 


Because X-33 and X-34 flight range safety is the responsibility of another agency, 
NASA may have a tendency to pay less attention to that aspect of the programs. 

Recommendation #28 

When NASA-sponsored vehicles are using a test range, NASA should not abdicate its 
responsibilities to ensure safe flight. 

Response 

The X-33 flight test profiles have met the long established requirements for flight 
safety for all military Ranges. Additionally, the flight test program has undergone 
scrutiny from all potentially impacted organizations, both private and government, 
through the public process for an Environment Impact Statement (EIS). All overflight 
routes, trajectories, and landing sites were included in the EIS analyses.The X-33 filed 
its Record of Decision on November 4, 1997. 

Public law and Department of Defense regulations place Range safety responsibility 
in the hands of the Range Commander not NASA. The NASA X-33 Program Office is 
satisfying every Air Force Range requirement and risk analysis. NASA, as the user, is 
supporting the Range and is applying expertise from both Dryden Flight Research 
Center and Marshall Space Flight Center in every topic of flight and ground safety. 


118 


Finding#29 


The Space Shuttle General Purpose Computers (GPC’s) are outmoded and limit the 
ability to incorporate necessary software changes and hardware upgrades. 

Recommendation#29 

NASA should begin the process of replacing the Space Shuttle GPC’s. As part of this 
effort, NASA should also modularize the flight software. 

Response 

The Space Shuttle Program is addressing the finding and recommendation identified 
by the ASAP A review of the GPC and its flight software was performed in April 1998. 
Based on current estimates on GPC mean time between failures, the flight hardware 
and spares are expected to be available through at least 2016 (and likely significantly 
later). The flight software estimate on memory availability 7 and usage has projected 
that memory capacity 7 would be expected to reach its limit in the 2005-2006 time- 
frame. 

A software architecture strategy 7 as part of the overall SSP avionics upgrade effort is 
being developed which will mitigate the memory 7 capacity 7 concern. This strategy will 
partition the critical software such as flight control and guidance from software that 
requires periodic change. The result of this partition would allow those stable soft- 
ware functions like flight control to remain within the current GPC’s while allowing 
those functions that frequently change to be migrated to a newer computer tech- 
nology. The offloading of the software functions such as display processing and 
systems management from the current GPC’s should permit current GPC memory 7 
capacity to remain acceptable through at least 2020. Additionally the software sub- 
ject to frequent change would be located within a system, which will be designed to 
be more easily reconfigurable than the existing system. 

In summary, a supportability 7 concern does not exist for the current GPC’s. Continued 
use of the existing GPC’s and their established processes will maintain high levels of 
safety. Software partitioning involving the offloading of software functions to a more 
flexible system will provide sufficient memory 7 availability 7 for future GPC software 
changes. This approach will provide an evolutionary and a migration path to full GPC 
upgrade if it is later required 


119 


annual re port fori 999 



aerospacesafety advisory pan el 


Finding#30 


There is no formal requirement that dependent Space Shuttle I-loads be recalculated 
or checked when an Hoad patch is to be uplinked. 

Recommendation#30 

NASA should create a dependency matrix of all Hoads. Furthermore, it should assess 
its Space Shuttle and ISS procedures and ensure that they are all fully documented. 

Response 

NASA believes that we already meet the intent of the recommendation. Flight 
Operations processes and documentation ensures proper Hoad change implementa- 
tion for all flight design I-loads, including uplinkable I-loads. These procedures 
include positive verification that the selected or uplinked values do not violate sub- 
system, element, or integrated vehicle certification and that the update meets mission 
requirements. Hoad dependencies are verified as part of the certification assessment. 

Procedures for verifying Hoads to be uplinked vary. In some instances uplinked I- 
loads change vehicle response in a way that impacts several of the remaining Hoads; 
i.e., Day-of-Launch Hoad Update (DOLILU). Those verification assessments include an 
analysis which uses a high fidelity computer model to simulate integrated vehicle 
response to the new I-loads.These simulations include models of the onboard flight 
software of sufficient detail to verify that all applicable Hoad interactions are 
assessed. In other cases, specific I-load dependencies are evaluated. 

A number of flight design uplinks involve an uplink of values that are generated and 
verified days or sometimes months before launch, These I-loads include vehicle nav- 
igation, targeting, and abort parameters. Verification procedures for these Hoads are 
identical to that used during the normal flight design template. 

For all cases, procedures clearly specifying verification requirements including spe- 
cific Hoad dependency evaluations, as applicable, are in place and under 
configuration control. 


120 


Finding#31 


Present plans depend on human procedures to achieve lockout to prevent inadver- 
tent or unauthorized access to actual hardware when using the new Checkout and 
Launch Control System (CLCS). 

Recommendation#3 1 

NASA should use a computerized authorization to achieve lockout of commands to 
actual hardware from anyone not authorized to issue such a command in CLCS. 

Response 

NASA concurs with the ASAP recommendation. The CLCS Project will undertake a 
study with the Shuttle engineering community to determine how these lockouts 
could be impIemented.The results will include a preliminary set of requirements for 
CLCS and other systems, such as the Shuttle Data Center and Simulation Systems, an 
operational risk assessment for implementing these changes, and a rough order of 
magnitude cost assessment for implementing these changes. The study will be com- 
pleted in a timely manner so that implementation can be accomplished in time to 
avoid extensive revalidation of CLCS application software. Progress reports will be 
presented to the ASAP during their CLCS review meetings. 



ae ro s pace siafety advisory pane I 


Finding#32 


NASA does not have a plan in place to deal with the problem of maintaining the many 
commercial off-the-shelf (COTS) software development tools used in its programs. 

Recommendation#32 

NASA should develop a general strategy and provide programwide guidelines for 
addressing the maintenance of COTS tools. 

Response 

NASA concurs with the finding that no programwide plan exists addressing the main- 
tenance of COTS software development tools. A programmatic action has been 
assigned to develop the usage requirements for COTS/modified off-the-shelf software 
including the associated development tools.These guidelines will document mainte- 
nance and selection guidelines to be used by all of the applicable program elements. 


122 



Finding#33 


The planning process for computer upgrades for the ISS has begun. Several possible 
upgrades are being discussed, such as replacing the Mass Memory Unit, upgrading 
the processor, upgrading the compiler used, and replacing the Portable Computer 
Systems (PCS). 

Recommendation#33 

NASA should proceed with the upgrade of ISS computer components expeditiously 
In particular, the replacement of the mass storage device with solid-state memory 
should be made as soon as possible. 

Response 

NASA concurs with the recommendation. A change request is currently being 
processed to retro-fit the solid state mass memory into the MDMs. The intent is to 
make the hardware change prior to flight of the MDMs. 


123 


annualreportforl 999 


aerospacesafety advisory pan el 


Finding#34 


Configuration management of ISS software does not include the source code for all 
of the elements being developed by the international partners. 

Recommendation#34 

NASA should strengthen the configuration control for ISS software to include soft* 
ware (source code as well as binary) and simulations produced by all international 
partners and vendors. 

Response 

NASA partially concurs with the recommendation, however, there seems to be some 
misunderstanding here. The source code for the Russian Service Module SM software 
is delivered to the SDIL. Some of the other partners, however do not deliver source 
code . This is based on their concerns that delivery of source code could compromise 
their contractor’s proprietary data. From a configuration management viewpoint 
controlling the executable, which is what is loaded into the vehicle, is sufficient. The 
ISS has initiated discussions with all partners to reach agreement on what level of 
source code visibility is necessary to ensure adequate knowledge by the control cen- 
ters for on-orbit anomaly resolution. 

The SM simulation software has been somewhat dynamic as the SM software has 
matured during vehicle testing in Moscow. Now that testing is finishing and the SM 
moves to the launch site, the simulation will stabilize.The flight software and the sim- 
ulations are obviously tighdy linked and the simulations should typically be updated, 
as they are currently, in conjunction with the flight software. NASA is working to put 
in place an encrypted link for electronic transmittals. 


124 


Finding#35 


The ISS presently has no programwide software development standards to manage 
software activities performed by NASA, its contractors, and the international partners. 

Recommendation#35 

The ISS program should establish programwide standards to aid in specifying, design- 
ing, developing, and managing all future ISS software projects.These standards can be 
as simple as a set of best practices. 

Response 

NASA concurs with the recommendation. To this point in the program Mil-STD-498 
has been used as the basis for software development. However it has not been doc- 
umented as the "ISS standard". Discussions have been initiated with all the partners 
to establish a program wide recognized standard. 



aerospace-safety advisory pan el 


Finding#36 


Several software developments are on the critical path for launch and operation of 
the ISS. While some software elements have had the early involvement of a multi-dis- 
ciplinary team that includes users and operators, many have not. The lack of user 
involvement results in increased schedule and safety risk to the program. 

Recommendation #36 

The ISS program should follow a concurrent engineering approach to building soft- 
ware that involves users and other key discipline specialists early in the software 
development process to provide a full range of perspectives and improve the under- 
standing of requirements before code is developed. 

Response 

NASA concurs with the recommendation. The US portion of the ISS is structured 
around an Integrated Product Team approach. This approach did, and does, include 
specialists from users and operators during all phases of development. The interna- 
tional partner’s development is followed closely by subsystem and operations 
working groups to enhance system understanding and involvement by system 
experts, crew, and operations personnel. 



[ 


! 


126 



Finding#37 


The recent compromising of the Data Encryption Standard (DES) suggests that the 
ISS command uplink may not be sufficiently protected. 

Recommendation#37 

NASA should engage the National Security Agency to conduct a thorough evaluation 
of the level of protection provided by the current system and proceed as rapidly as 
feasible with its plans for a more secure encryption system for the ISS. Potential vul- 
nerabilities of the ground elements of the system should also be assessed. 

Response 

NASA concurs with the recommendation. The ISS Program Office has been working 
with the NASA HQ Security Office, the NSA and NIST to define an acceptable replace- 
ment for DES. The newly selected encryption standard for ISS is Triple-DES, as 
approved at the Avionics Software Control Panel on March 17, 1999-The target date 
to begin implementation is assembly flight 9A with completion at 13A. 


127 


annual re port fori 999 


aerospacesafetyadvisory panel 


AppendixC 


1 


j 

i 

AEROSPACESAFETYADVISORYPANELACTIVmES 1 

j 

JANUARY-DECEMBER 1999 j 

1 

JANUARY 

January 5-8, 1999 - Kennedy Space Center, Fact-Finding 

January 22, 1999 - NASA Headquarters, International Space Station Uplink j 

Encryption Meeting 

January 28, 1999 - Marshall Space Flight Center, SRB Vendor Visit 
January 28-29, 1999 - Johnson Space Center, Software Summit Meeting 


FEBRUARY 

February 4-5, 1999 - NASA Headquarters, ASAP Annual Meeting 

February 23-24, 1999 - Kennedy Space Center, Space Shuttle Program Manager’s 
Review 

February 24-25, 1999 - Rocketdyne, SSME and ISS Power System Fact-Finding and 
SSME Vendor Visit 

February 25, 1999 - NASA Headquarters, Testimony before the House 
Subcommittee on Space and Aeronautics 


128 


MARCH 


March 2-3, 1999 * Ames Research Center, Review of Human Factors 
March 12, 1999 - NASA Headquarters, Meeting with KSC Inspector General 
March 23> 1999 - NASA Headquarters, Workforce Meeting 
March 29-31 » 1999 - Johnson Space Center, Fact-Finding 

APRIL 

April 21-22, 1999 - Johnson Space Center, Software Summit Meeting 
April 29-30, 1999 - Johnson Space Center, Computer Team Fact-Finding 

MAY 

May 5, 1999 - Kennedy Space Center, STS-96 Flight Readiness Review 

May 5-6, 1999 - Michoud Assembly Facility, Integrated Logistics Panel Meeting 

May 12, 1999 - NASA Headquarters, Panel Administration 

May 19-21, 1999 - Marshall Space Flight Center, Fact-Finding 

May 24, 1999 - Johnson Space Center, Space Shuttle Program Manager POP 99 
Review 

May 26, 1999 - NASA Headquarters, Panel Administration 


129 


annualreportforl 999 


JUNE 


June 7-9, 1999 - Kennedy Space Center, Plenary Session 

June 17, 1999 - Kennedy Space Center, KSC Safety Day 

June 21-22, 1999 - Langley Research Center, Fact-Finding 

June 22, 1999 - Seattle, Washington, Boeing Space Group, IUS Fact-Finding 

June 24-25, 1999 - NASA Headquarters, Fact-Finding 

June 29, 1999 - NASA Headquarters, Fact-Finding 

JULY 

July 1, 1999 - NASA Headquarters, IUS Fact-Finding 

July 6, 1999 - NASA Headquarters, IUS Fact-Finding 

July 8, 1999 - Kennedy Space Center, STS-93 Flight Readiness Review 

July 14-15, 1999 - Johnson Space Center, Crew Return Vehicle Fact-Finding 

July 20, 1999 - Kennedy Space Center, STS-93 Launch 

July 28, 1999 - NASA Headquarters, Fact-Finding 

AUGUST 

August 19-20, 1999 - NASA Headquarters, Fact-Finding 

August 24-25, 1999 - Ames Research Center, Aero-Space Technology Fact-Finding 
August 25-26, 1999 - Ames Research Center, Computer Team Fact-Finding 
August 31, 1999 - Johnson Space Center, Radiation Risk Meeting 


SEPTEMBER 


September 1, 1999 - Johnson Space Center, Radiation Risk Meeting 

September 8, 1999 - NASA Headquarters, Fact-Finding with Ames Personnel 

September 15, 1999 - NASA Headquarters, Fact-Finding 

September 22-23, 1999 - Johnson Space Center, Plenary Session 

September 29, 1999- NASA Headquarters, Inspector General Meeting and ELV 
Meeting 


OCTOBER 
October 4, 1999 - 
October 5-6, 1999 
October 8, 1999 - 
October 12, 1999 
October 18, 1999 
October 19, 1999 
October 26, 1999 


Kennedy Space Center, Fact-Finding 

- Dryden Flight Research Center, Fact-Finding 
Kennedy Space Center, ELV RL-10 ERB 

- Marshall Space Flight Center, Workforce Fact-Finding 

- NASA Headquarters, Fact-Finding 

- Vandenberg Air Force Base, ELV Fact-Finding 

- Ogden, Utah, Thiokol Space Operations, Fact-Finding 


131 


annual re portforl 999 



aerospacesafetyadvisorypanel 


NOVEMBER 


November 3, 1999 - NASA Headquarters, Workforce Fact-Finding 

November 3-5, 1999 - NASA Headquarters, Plenary Session 

November 9, 1999 - Johnson Space Center, Fact-Finding 

November 16, 1999 - Kennedy Space Center, ELV Fact-Finding 

November 16-17, 1999 - Johnson Space Center, Computer Team Fact-Finding 

November 16-17, 1999 - Melbourne, Florida, Participate in 5th Annual Florida 
Space Launch Symposium 

November 17-18, 1999 - Ogden, Utah, Thiokol Space Operations, Integrated 
Logistics Panel Meeting 

November 18-19, 1999 - Kennedy Space Center, STS- 103 Flight Readiness Review 
November 29-30, 1999 - NASA Headquarters, Editorial Committee Meeting 

DECEMBER 

December 1, 1999 - NASA Headquarters, Editorial Committee Meeting 

December 8, 1999 - Kennedy Space Center, United Space Alliance Independent 
Review of Orbiter Sub-Systems 

December 9, 1999 - Kennedy Space Center, Deliberations on LH2 Recirculation Line 
December 14, 1999 - NASA Headquarters, Editorial Committee Meeting andTelecon 
December 16, 1999 - STS- 103 Countdown 


132 










